Contenu connexe
Similaire à Orange Legal Technologies Corporate Information Briefing 1108
Similaire à Orange Legal Technologies Corporate Information Briefing 1108 (20)
Orange Legal Technologies Corporate Information Briefing 1108
- 3. Improving Results for the Legal Custody of
Information
Contents
Executive Summary 3
Key Findings 3
Implications and Analysis 5
Recommendations for Action 6
Research Findings 7
Burden of Legal Requests: More Likely to Impact Large Enterprises 7
Large Enterprises: More Legal Summonses and Holds Related to Information 7
Maturity of Practices for Legal Hold 8
Confidence in Responding to Legal Requests for Information 9
Equal Opportunity Outcomes for Legal Holds 10
Average Financial Settlements and Expenses, by Size of Organization 10
Expenses Vary Significantly by the Maturity of Practices for Legal Holds 11
Who’s Involved in Finding, Producing and Protecting Information 11
Paper, Legacy Information and Electronically Stored Information 12
Most Time-Consuming and Expensive Information to Find, Protect, and Produce 13
Time and Expense in IT to Find, Protect, and Produce 13
Strategic Actions and Practices that Improve Maturity and Results 14
Practices and Capabilities in IT that Improve Maturity and Results 15
Most Helpful Technologies to Find, Protect and Produce Data 16
Discussions with the Lawyers 17
ESI and the Scope of Legal Discovery 17
ESI and the Impact of Age and Time 17
Legal Requests and Summonses for Information 17
Information Formats, Indexing and Costs 18
Recommendations from the Lawyers 18
Regulatory Drivers and Legal Custody of Information 18
Legal Custody and Controls Effectiveness 19
Maturity Impacts Legal Custody, Compliance, and Data Protection 20
Who Should Improve the Maturity of Practices for Legal Hold 20
Taking Action to Improve Results 21
About the Research 23
About IT Policy Compliance Group 24
© 2008 IT Policy Compliance Group
- 5. Improving Results for the Legal Custody of
Information
Executive Summary
Key Findings
Large enterprise spend more than other firms for legal holds
The average financial costs of legal holds placed on information for firms with
normative practices include:
• Large enterprises: From $500,000 to more than $9 million annually.
• Midsize organizations: From $300,000 to $500,000 each year.
• Small businesses: Less than $300,000 per year.
Costs for legal custody are driven by maturity of practices
Organizations with the least mature practices are spending much more, as follows:
• Large enterprises: From $1.5 million to more than $28 million annually.
• Midsize organizations: From $800,000 to $1.5 million each year.
• Small businesses: Less than $800,000 per year.
Firms with the most mature practices are spending much less, as follows:
• Large enterprises: From $120,000 to $2.6 million annually.
• Midsize organizations: From $66,000 to $120,000 each year.
• Small businesses: Less than $66,000 per year.
Improvements to practices increase confidence and reduce expenses
The realities are:
Firms with the most confidence in the accessibility, completeness and
accuracy of data have most mature practices and spend the least on legal holds.
Firms with the least confidence in the accessibility, completeness and accuracy
of data have the least mature practices and spend the most of legal holds.
Large enterprises have a latent advantage that can be leveraged
Accessibility, completeness and accuracy of data to support legal holds depend
on how much information is electronically stored information (ESI). The numbers show:
ESI among large enterprises: 50 to 70 percent.
ESI among midsize firms: 35 percent to 50 percent.
ESI among small businesses: 20 percent to 35 percent.
However, this latent advantage can only be leveraged if information is indexed for rapid
search, protection, preservation and production in response to legal requests.
Strategic actions and practices that are improving results and reducing costs
The strategic actions that are improving results include:
Notifying affected employees of legal holds on information within one hour.
Responding to legal requests within one day.
Maintaining evidence of handling of data and delivering training to employees.
Identifying business and financial risks and measuring results.
Updating policies and procedures and updating records retention programs.
Improving the quality of legal counsel and legal hold procedures and controls.
Forming cross-functional teams to respond to requests within one day.
© 2008 IT Policy Compliance Group, 3
- 6. Improving Results for the Legal Custody of
Information
Key Findings (continued)
Practices in IT that are improving results and reducing costs
The actions and practices in IT that are shown to improve results include:
Identifying the gaps in procedural and technical controls.
Converting information into electronic formats.
Inventorying and indexing information for rapid search.
Increasing the frequency of monitoring and measurements.
Correcting gaps in procedural and technical controls.
Updating policies and procedures.
Improving technical and procedural controls.
Most helpful technologies to improve results
The technologies being employed by the firms with the most mature practices
and the lowest expenses include:
Backup and archive.
Data capture and conversion tools.
Data and record indexing tools.
Records retention and destruction tools.
Employee education and training tools.
Information to target
The information routinely indexed to search preserve and produce information
in response to legal holds by the firms with the most mature practices and
lowest costs, include:
Email, office productivity files, and instant messaging.
Industry-specific information.
Product and financial information.
Employee and customer related information.
Improving the maturity of practices for data custody pays off
Improving the maturity of practices for legal custody yields huge reductions to
current expenses:
Organizations with the least mature practices can reduce overall
expenses for legal custody by a factor of 13 by improving practices.
The majority of firms, those operating at the norm, can reduce expenses
by a factor of 4 by improving practices.
Improving the maturity of practices for the legal custody of information
Reduces expenses for legal settlements and fees
Reduces expenses in IT to find, produce, protect and preserve information
on hold
© 2008 IT Policy Compliance Group, 4
- 7. Improving Results for the Legal Custody of
Information
Implications and Analysis
Legal holds on information start when an organization learns of, or can reasonably anticipate current
or pending litigation and regulatory investigations. The complexities involved in complying with
legal requests for information are most prudently carried out under the direction of legal counsel.
As such, whether a firm is named as a defendant, or is caught up in litigation as a third-party, the
custody of information covered by a legal hold should be directed by legal counsel. Notifying employees,
and potentially suppliers or customers, is just the start of a legal process governing holds on information.
Large enterprises: Follow the money
Despite a broad 50/50 chance of being served a court summons related to data and records, larger enterprises are
bearing the brunt of such demands. For large enterprises, the likelihood of summonses start at two per year, and can
exceed five or more events annually, while the number of annual legal requests for information are far higher.
Legal settlement costs; legal expenses; and costs related to finding, protecting, preserving, Large enterprises with the
and producing data in response to legal holds for information are far higher among larger least mature practices are
enterprises than midsize organizations and small businesses. spending between $1.5
Among larger enterprises, average costs and expenses related to legal holds placed on million to more than $28
information range from $500,000 to more than $9 million annually, depending on the size million annually, depending
of the organization. on the size of the
organization.
However, the maturity of practices for information governed by legal holds directly
influence spending. Large enterprises with the most mature practices are spending only 25
percent of the amount firms with normative practices spend: from $120,000 to more than $2.6 million annually, depending
on the size of the firm.
Conversely, organizations with the least mature practices are spending much more than all other firms. Large enterprises
with the least mature practices are spending three times more than firms with normative practices spend: from $1.5 million
to more than $28 million annually, depending on the size of the organization.
ESI: The wave has hit the beach
Although paper-based records are identified as the most traditional format and the most time consuming and expensive for
all organizations, the research conducted with attorneys shows that electronically stored information (ESI) requests are
increasingly making up a larger proportion of the legal requests, especially for email and office productivity files among
other forms of ESI. Unless ESI (email, office files, product design records, customer transaction data, instant messaging
files, financial transactions, etc) is indexed for rapid search, protection and production, it offers no obvious benefit. For
example, 10 Gigabytes of information is about 500,000 pages, close to 200 boxes of paper that would normally not be
indexed while being stored off-site.
Practice maturities dictate outcomes
Neither the size of an organization nor the industry within which it competes is the arbiter of better or worse performance
results, or of higher or lower costs. Rather, the practices implemented for legal custody are what distinguish how much is
being spent, and how well or poorly organizations are able to respond to legal holds governing information.
Organizations that respond more
Strategic Actions and Practices making a Difference
rapidly to holds governing
The strategic actions distinguishing firms with the best results for legal custody include: information are also excelling at
• Maintaining evidence of handling for records and data delivering training to regulatory compliance and the
employees protection of sensitive data.
• Identifying business and financial risks
• Measuring results
Practices in IT that are Making a Difference
Leading firms are converting more information into indexed, searchable electronic formats that can more rapidly be found,
preserved, protected, and produced in response to legal requests. Examples of the kind of information being converted
into structured electronic records for rapid search, protection, and production include:
© 2008 IT Policy Compliance Group, 5
- 8. Improving Results for the Legal Custody of
Information
• Email and attachments
• Office documents
• Instant messaging files
• Audio files (telephone records)
Organizations performing as leaders for legal custody are also excelling at
regulatory compliance and the protection of sensitive data. Taking a holistic view of
compliance, these firms are treating the legal custody of information as one aspect
of managing information in an increasingly electronically interconnected World.
Recommendations for Action
Based on the quantitative results of the benchmarks and the qualitative research
conducted with the lawyers, the principle recommendations include the following.
Large enterprises
Should take action: are clearly the primary targets of legal request for
information
Should aggressively improve the maturity of practices to limit financial pain
Midsize organizations
Should evaluate financial impact, past experience and industry setting
Should be improving easier-to-implement practices with large paybacks
Improve organizational practices
Notify affected employees about a legal hold on information within one hour
or less
Respond to the initial request within one business day or less
Update corporate policies and procedures
Improve the quality of legal counsel
Form a cross-functional response team
Conduct employee training consistently
Revise records retention policies and procedures
Improve legal hold procedures and controls
Measure results more frequently
Improve practices and capabilities IT
Target highly probable areas to convert into electronically indexed,
searchable archives — especially email, invoices, telephone records, and
financial data
Use indexing tools to enable the rapid search of information covered by
requests
Archive and index paper-based records and data that are most likely
targets
Target additional types of data for conversion, based on industry-specific
litigation
Update IT policies and procedures for the retention and destruction of
information
Maintain evidence of handling and protection of data and records
Correct gaps in IT procedures and controls
Measure the effectiveness of controls more frequently
© 2008 IT Policy Compliance Group, 6
- 9. Improving Results for the Legal Custody of
Information
Research Findings
Burden of Legal Requests: More Likely to Impact Large Enterprises
For most firms, there is a 50 percent chance that data and records will have to be found, protected, and produced in
response to legal requests or court summons. However, not all organizations are burdened with the need to find, protect
and produce information in response to legal requests and summonses equally. Rather, large enterprises are bearing the
brunt of responding to legal requests for data, with six out of ten large firms taking action to find, protect and produce data
in response to such demands (Figure 1).
Figure 1: Firms That Are Finding, Protecting, and Producing Information
Source: IT Policy Compliance Group, 2008
By comparison, only three out of ten small businesses with revenues below $50 million are spending time to find, produce
and protect records and data in response to legal requests and summonses. And, only five out of ten midsize
organizations are spending time to respond to these demands.
Large Enterprises: More Legal Summonses and Holds Related to Information
The number of legal summonses received each year is directly related to the size of an organization, with large
enterprises experiencing more such events annually.
However, according to the lawyers interviewed, actual court summonses represent but a small portion of the total number
of legal requests for data, in the range of 2 to 10 percent of all legal requests.
Organizations with annual revenues between $100 million and $1 billion should plan on at least one to two court actions
each year. Firms with $10 billion in annual revenue should plan for between two and five such events annually.
Organizations with more than $100 billion in revenue should plan for more than five summonses each year.
While far more legal holds on data occur than summons received, and large enterprises are experiencing more summons
related to legal holds placed on information, the findings deliver proof that “if you follow the money”, the action is clearly
focused on large enterprises (Figure 2).
© 2008 IT Policy Compliance Group, 7
- 10. Improving Results for the Legal Custody of Information
Figure 2: Number of Annual Summonses by Revenue
Source: IT Policy Compliance Group, 2008
Maturity of Practices for Legal Hold
Not all firms notify affected employees and respond to legal requests for data and records in the same amount of time. In
fact, the benchmark results show a normal distribution for these two key metrics (Figure 3).
Figure 3: Distribution of Practices, Least to Most Mature
© 2008 IT Policy Compliance Group, 8 Source: IT Policy Compliance Group, 2008
- 11. Improving Results for the Legal Custody of
Information
Most mature practices: About one in ten firms
Roughly one in ten—12 percent—of all firms are performing at the most mature levels. These firms are notifying
employees in less than one hour about a legal hold on records and data and are responding to legal requests for
information within one day.
Industry norm: About seven in ten firms
About seven in ten—almost 71 percent—of all organizations are performing at the industry norm: one to eight hours to
notify employees and between one and eight days to respond to legal requests for information.
Least mature: Almost two in ten firms
Almost two in ten—nearly 18 percent—of all firms are performing at the least mature levels, taking more than eight hours
to notify employees and more than eight days to respond to legal requests for data and records.
Confidence in Responding to Legal Requests for Information
According to the legal counsels interviewed, their confidence in cases involving the request of data and records depends
on the accessibility, accuracy, completeness, and trustworthiness of data and records, after considering existing law and
prior rulings.
The research findings reveal that the firms with the most mature practice indicators, those notifying employees within one
hour about a legal hold on data and responding within one day, are more confident than all other organizations. Moreover,
these firms have greater confidence in the accessibility, integrity, accuracy and trustworthiness of data and records: key
considerations, according to the lawyers, when dealing with legal requests for data and records (Figure 4).
Figure 4: Confidence in Capabilities
Source: IT Policy Compliance Group, 2008
Firms with up to one legal request for data each year are the least confident in the trustworthiness, completeness,
accuracy, and accessibility of data and records. These are the same firms that are not actively finding, protecting, and
producing data. If “practice makes perfect,” it may take organizations several legal requests to develop the wisdom to
notify affected employees immediately and the practices needed to respond to within one day. Firms with the best results
are doing things very differently than all other organizations. Whether confidence in measured by the trustworthiness,
completeness, accuracy, and accessibility of data, or confidence in the legal case, the results of the benchmark indicate
confidence in the procedures for data holds are necessary enablers for succeeding with the legal case.
© 2008 IT Policy Compliance Group, 9
- 12. Improving Results for the Legal Custody of Information
Equal Opportunity Outcomes for Legal Holds
Despite a much higher incidence rate for the number of summonses and legal requests received among larger
enterprises, the performance of large firms is in line with the overall maturity of practices across firms of all sizes. This
finding proves that despite more experience among large firms, firm size does not dictate outcomes (Table 1).
Table 1: Different Experiences, Same Results
Least Normative Most
mature results mature
Firms with no plans 18.2% 71.1% 10.7%
and no activity
Firms actively finding, 16.8% 69.9% 13.3%
protecting, and
producing data
All firms 17.5% 70.5% 12.0%
Source: IT Policy Compliance Group, 2008
Average Financial Settlements and Expenses, by Size of Organization
Large enterprises operating with normative practice maturities for legal data hold are spending much more on legal
settlements, legal expenses, and internal costs to find, protect and produce data than midsize organizations and small
businesses (Figure 5).
Figure 5: Financial Expenses of Legal Data Holds Among Normative Firms
Source: IT Policy Compliance Group, 2008
A minimum of 50 percent all expenses are for legal settlements and legal expenses. Internal expenses for finding,
protecting and producing data in response to legal holds range from 25 percent to 50 percent of all costs, based on the
organization size. Large enterprises are spending 60 times more than small businesses and 25 times more than midsize
firms on legal expenses and expenses to find, protect, and produce data.
© 2008 IT Policy Compliance Group, 10
- 13. Improving Results for the Legal Custody of
Information
Expenses Vary Significantly by the Maturity of Practices for Legal Holds
However, financial expense among the firms with normative practices is deceiving. Total expenses are driven higher by
about three-fold among firms operating with the least mature practices for legal data holds. In contrast, firms with the most
mature practices are benefiting from much lower spending: about 25 percent of the expenses being borne by firms with
normative practices for legal data hold (Figure 6).
Figure 6: Average Annual Expenses, by Maturity of Practices
Source: IT Policy Compliance Group, 2008
For example, firms with $10 billion in annual revenues are spending more, or less on legal data holds, depending on the
maturity of the practices. Firms of this size with the least mature practices are spending, on average, $6.4 million; while
the normative among these firms are spending about $2.1 million. Those with the most mature practices are spending
much less: slightly less than $480,000 annually. The difference, more than 13 times larger among the least mature and
more than 4 times larger among the majority of firms in the norm is sufficient financial incentive to improve practices for
legal data holds. The maturity of practices governing legal data holds among firms is resulting in different spending
experiences that include:
• Spending on legal data custody that is more than 13 times larger among firms with the least mature practices
• Spending on legal data custody that is more than four times larger among firms with normative practices
Spending on legal and internal costs to find, protect and produce data in response to legal requests for data is reduced by
more confidence: made possible by more mature practices.
Who’s Involved in Finding, Producing and Protecting Information
The receipt of legal requests for data is a drain on the time and focus of many different functions in the organization,
including legal counsel, IT, senior managers, human resources and affected employees (Figure 7).
Consistent with interviews conducted with legal counsels, the use of contractors to find, protect and produce data in
response to legal requests for information is marginal, and often limited to the initial incident. The relatively high level of
involvement of senior managers in finding, protecting and producing data in response to legal requests indicates either
specifically named legal discovery inquiries, topical relevance such as requests related to financial filings, or a
combination of these. Legal requests for information are occupying a significant amount of time that could otherwise be
put to more productive purposes for servicing and retaining customers, and creating improved shareholder value.
© 2008 IT Policy Compliance Group, 11
- 14. Improving Results for the Legal Custody of Information
Figure 7: Who’s Involved in Finding, Protecting and Producing Information
Source: IT Policy Compliance Group, 2008
Paper, Legacy Data and Electronically Stored Information
The ability to respond to a legal request quickly and with more confidence depends on two factors: the scope of the legal
request for information, and whether or not the data is stored electronically. The first factor is negotiated by legal counsel,
while the second factor depends on the format of the data. In alignment with fewer requests received annually, firms with
the least amount of data and records stored electronically are small businesses, while the most electronically formatted
data is found among larger enterprises (Figure 8).
Figure 8: Electronically Stored Information, by Revenue
© 2008 IT Policy Compliance Group, 12 Source: IT Policy Compliance Group, 2008
- 15. Improving Results for the Legal Custody of
Information
Based on interviews conducted with legal counsels, accessibility is a key factor in determining the costs of responding to
legal requests for information. For example, almost all of the lawyers interviewed say the cost of acquiring, protecting and
producing information stored on older paper and electronic tape formats is much higher, and depends on being able to
prove undue hardship due to inaccessibility of the data. Furthermore, the lawyers all cited a common experience of
spending time and money to find relevant data on electronically stored tape formats only to find much of the information
illegible due to a degradation that normally occurs to information stored on magnetic tapes over time. While it may be
trickier arguing “inaccessibility” for older paper and magnetic tape formatted data, almost all the lawyers interviewed say
that third-party litigants will likely prevail in having defendants or plaintiffs pay expenses related to legal holds on data.
The research shows that a prevalence of electronically formatted and indexed data increases confidence in outcomes,
reduces costs, and mitigates financial exposure from legal claims supported by holds on data and records. All of the
lawyers interviewed say that in their experience, electronically indexed data is far easier and much less expensive to find,
produce, preserve and protect. And, several of the lawyers interviewed stated, “we’re now adding a lot of other data to the
(electronically stored and indexed) mix”, beyond email and office productivity documents.
Most Time-Consuming and Expensive Information to Find, Protect, and Produce
The most time-consuming and expensive data for organizations to find, protect, and produce are paper-based records, as
well as electronically formatted data and records that are not indexed or are stored in un-indexed tape archives (Figure 9).
Figure 9: Most Expensive Data to Find, Protect and Produce
Source: IT Policy Compliance Group, 2008
After paper and simply archived tape archives, the evidence shows that email, financial records, customer records, and
office productivity files and records are the most time-consuming and expensive information to find, protect, and produce.
Given the explosive use of email and office productivity applications during the past 20 years, it is not surprising that
these rank in the top tier as most time consuming and expensive.
Time and Expense in IT to Find, Protect, and Produce
The time required by firms to find, protect, and produce data and records in response to legal requests for data ranges
from 10 percent to 25 percent of the available time in IT, depending on the size of an organization.
However, not all firms of the same size are spending the same amount of time or money to find, protect and produce data.
Although the time spent in IT on these activities averages almost 18 percent, actual spend on labor varies by maturity of
practices: from a high exceeding 24 percent of the time in IT to a low just under 10 percent of the time in IT (Figure 10).
© 2008 IT Policy Compliance Group, 13
- 16. Improving Results for the Legal Custody of Information
Figure 10: Time Spent in IT to Find, Protect, and Produce
Source: IT Policy Compliance Group, 2008
A majority of organizations, those operating at the norm, can improve results without increasing labor costs in IT by
leveraging retention, indexing and storage tools to better find, protect, and produce records and data in response to a
legal requests.
Strategic Actions and Practices that Improve Maturity and Results
How quickly employees are notified and legal requests are responded to, depends on the strategic actions taken by
organizations (Figure 11).
The key actions taken by the firms with the most mature practices include:
Updating policies and procedures
Maintaining evidence of handling for records and data
Identifying business and financial risks
Delivering training to employees covering legal hold procedures and controls
However, these are not the only actions being taken by leading firms. Others include revising records retention programs,
measuring results, improving the quality of legal counsel, identifying gaps in procedural and technical controls, improving
legal hold procedures and controls, and forming cross-functional teams to respond to legal holds on data.
Moreover, the distinct differences in actions taken by the most mature firms include:
• Maintaining evidence of handling for data and records
• Improving the quality of legal counsel
• Delivering training to employees
• Identifying business and financial risks
• Measuring results.
In addition to strategic actions, specific actions and practices within IT to rapidly find, protect, preserve and produce data
in response to legal requests for data are strongly influencing results.
© 2008 IT Policy Compliance Group, 14
- 17. Improving Results for the Legal Custody of Information
Figure 11: Strategic Actions and Practices That Improve Results
Source: IT Policy Compliance Group, 2008
Practices and Capabilities in IT that Improve Maturity and Results
The findings clearly show that among the most mature firms, IT is prominently involved in a wide range of activities
related to finding, protecting, and producing data in response to legal requests (Figure 12).
Figure 12: Practices and Capabilities in IT that Improve Results
Source: IT Policy Compliance Group, 2008
© 2008 IT Policy Compliance Group, 15
- 18. Improving Results for the Legal Custody of Information
The notable practices and capabilities within IT among the most mature firms include:
Updating policies and procedures
Increasing the frequency of monitoring and measurements
Inventorying records and data
Improving technical and procedural controls
Moreover, the actions and practices within IT that most distinguish the most mature firms from all others include: 1)
indexing data for rapid search, 2) increasing the frequency of monitoring and measurements, 3) correcting gaps in
controls, and 4) updating policies and procedures.
Most Helpful Technologies to Find, Protect and Produce Data
The technologies found most helpful to find, protect, and produce data and records in response to the Legal Custody of
Information include:
• Tools that convert data into electronic formats
• Tools that store data in electronic formats
• Tools for training employees
However, this list is just the start of what may be needed, because among the most mature firms, the tools found to be
most helpful are those for backup and archive, training, data and indexing of information, data capture and conversion,
records retention and destruction, and the identification of records and data (Figure 13).
Figure 13: Most Helpful Technologies to Find Protect, and Produce Data
Source: IT Policy Compliance Group, 2008
The findings clearly show that firms with the most mature practices, and the lowest costs for legal data holds, are
converting data into electronically indexed formats for more rapid search, discovery, production, preservation and
protection.
© 2008 IT Policy Compliance Group, 16
- 19. Improving Results for the Legal Custody of
Information
Discussions with Lawyers
In addition to the benchmark, lawyers in the U.S. were interviewed to provide a qualitative sense of how they and their
organizations are overcoming challenges associated with legal hold requests. All of the U.S.-based lawyers say that due
to changes to the Federal Rules of Civil Procedure (FRCP), almost all legal requests for information now include
discovery motions involving email formats and office productivity files.
ESI and the Scope of Legal Discovery
All of the lawyers acting on behalf of plaintiffs say that they purposely strive for the widest possible scope of discovery in
order to find evidence that will bolster the case for their clients. And, all of these lawyers say that the new electronic
discovery rules of the FRCP are assisting their efforts. While most of these layers admit that the scope of discovery is
independent of the format of the information, and that old-fashioned paper-based records were the most common format
employed in the past, almost all legal requests for information now include email, office productivity files and documents.
In contrast to the “more is better” approach of litigants, lawyers acting to defend their
Almost all legal requests for
clients state that the primary objective is to limit the scope of inquiry, for several reasons,
information now include email, and
including costs, organizational churn and productivity losses, as well as a normal
office productivity files.
defense tactic to limit evidence. All of these attorneys say that their clients are now
routinely being served with requests that include email and office documents as a matter
of course. All of these attorneys say that while paper-based reports had been the norm, and continue to drive requests
from older-line specialist litigation firms, the new rules governing electronic discovery have resulted in requests that also
include database information, audio recordings, Web-based data, instant messaging, and other forms of electronically
stored information (ESI): well beyond email and office productivity files or documents.
ESI and the Impact of Age and Time
The information being sought by legal requests depends on the type of litigation. For example, the lawyers involved in
product liability litigation say that the normal age of information being sought dates back about five to six years. However,
lawyers involved in financial reporting and fraud, benefits, pensions, life insurance, capital property and casualty claims,
and those involved with longer-term workplace injuries (asbestos claims) say the information being sought dates in age
from five years to many decades.
According to the lawyers interviewed, information older than five years is often viewed as practically inaccessible, even if
it is legally viewed as accessible. For example: almost all the lawyers interviewed cited horror stories about information
stored on magnetic tapes that were found to be illegible due to a normal aging process associated with magnetic tape
media formats.
In addition to age and time associated with legal requests, and the format of the information, the lawyers cited an
interesting twist associated with the age of attorneys acting on behalf of plaintiffs. All of the defense attorneys noted that
when they are dealing with older-line plaintiff firms with primarily older attorneys, the standard formats being requested
are the old stand-bys involving paper-based reports, telephone records, and more recently email and office productivity
files. Only as a result of the changes to the FRCP are these older-line firms starting to more routinely request other forms
of ESI.
However, the profile of the requests for information changes markedly when younger
ESI is not only the wave of the
lawyers with younger plaintiff firms are involved. More familiar with computers and
future: the ESI wave is hitting the
technology, these younger firms and attorneys are serving more requests for a wider
beach.
variety of ESI beyond email and office productivity files.
The defense attorneys all say they are noticing a direct correlation between age,
technology familiarity, and an increasing number of requests for information involving a wider range of ESI data beyond
email and office productivity information. According to the lawyers interviewed, ESI is not the wave of the future: the ESI
wave is hitting the beach.
Legal Requests and Summonses for Information
Not all legal requests for information result in a court summons. Lawyers contacted just prior to publication say that in
their experience, there is no typical rate for how many legal requests are resulting in a summons. Several of the lawyers
quoted anecdotal experiences ranging from “1 in 10” to as few as “1 in 50” legal requests resulting in a summons. Despite
an inability to quantify the relationship between legal requests and summons, all of the lawyers say that their firm receives
far more legal requests for data than summons, and that all such legal requests are resulting in legal holds being placed
on data.
© 2008 IT Policy Compliance Group, 17
- 20. Improving Results for the Legal Custody of Information
The benchmark asked participants how many summons for data their firm had experienced in the past year. As a result of
the anecdotal information regarding the number of legal requests received each year, it is difficult to reliably quantify the
number of legal requests organizations can expect to receive, other than the broad ranges provided by participating legal
counsels: from 1 in 10 to as few as 1 in 50 legal requests for data resulting are resulting in court summons. This
anecdotal information would place the rate of summons resulting from legal requests at between 2 percent (1 in 50), to as
much as 10 percent (1 in 10). These broad anecdotal ranges indicate the number of legal requests for information could
range from a low of 10 each year among small businesses, to a high of 250 per year among larger enterprises. Whether
the rate of requests to summons is 1 in 10, 1 in 25, or 1 in 50, it is clear that there are far more requests being received
each year than summons, and that the process of legal hold on information is being initiated upon the reasonable
anticipation of a legal request for information, not the receipt of a summons related to information that should have been
placed on hold long before a summons arrived.
Information Formats, Indexing, and Costs
Paper-based formats were almost universally viewed as the most expensive to find and produce by the defense attorneys
who were interviewed. However, costs for finding, producing and protecting ESI covered by legal holds spans quite a
range according to the lawyers interviewed. The highest costs for finding, producing and protecting ESI governed by legal
holds involves data stored on magnetic tape and other simpler, un-indexed, archived data. The lowest costs for finding,
producing and protecting data were among the attorneys whose firms are employing automated solutions that
immediately store copies of ESI into protected and indexed storage systems, almost all of them involving disks, CDs and
other formats not involving magnetic tape.
All of the defense attorneys say their initial attempts to respond to legal hold in their firm
Doing the work in-house to find,
involved costly manual procedures augmented by external third parties that converted
protect and produce data on legal
differently formatted data into standard forms for searching and responding to legal
hold is less expensive, and it
holds. However, all of these attorneys say that due to the costs of such outsourced
reduces the risks related to errors
services and the number of legal holds governing ESI, doing the work in-house to find,
that could be challenged.
protect and produce data on legal hold is less expensive, while reducing the risks
related to errors that could be challenged.
Recommendations from the Lawyers
The participating lawyers recommend the following:
• Establish the ground rules for what constitutes reasonable anticipation of litigation
• Consistently review policies and controls for the retention and destruction of information
• Establish and implement a consistent notification system
• Respond to requests as soon as possible, even if the response is only for clarification
• Communicate detailed instructions for finding, protecting, preserving and producing covered information
• Index as much data as is reasonable, to drive down costs
• Maintain the integrity of information on hold
• Monitor information and the controls governing information that are on hold
• Implement standard procedures for releasing information that were on hold
Regulatory Drivers and Legal Custody of Information
The primary regulatory mandates responsible for driving legal data hold requests include:
• Sarbanes-Oxley
• Specific industry regulations
• Laws governing data and records
• Laws governing data protection, retention, and privacy
After these, the important regulatory drivers include health care data privacy laws, SEC guidelines and rules, and Federal
Rules of Civil Procedure in the United States governing data and records (Figure 14).
Although FRCP and e-discovery in the U.S. do not jump to the top of the list for regulatory drivers, this may be due to less
familiarity with the legal requirements, or that as a legal mandate FRCP is not perceived to be regulatory mandate. The
laws governing data privacy among the largely U.S.-based sample for this benchmark rank highly among organizations of
all sizes, while the European data privacy laws rank highly only among large enterprises. The results indicate an overlap
between the practices and capabilities needed to succeed with legal holds placed on information, and those needed for
data protection, privacy, financial reporting and other legal and regulatory compliance mandates.
© 2008 IT Policy Compliance Group, 18
- 21. Improving Results for the Legal Custody of
Information
Figure 14: Regulatory Pressures for Legal Custody of Information
Source: IT Policy Compliance Group, 2008
Legal Custody and Controls Effectiveness
One such overlap is the frequency with which organizations assess the effectiveness of controls and the alignment of
results between the legal data custody, the protection of sensitive data, and regulatory compliance. Firms with the most
mature practices for legal data hold measure controls effectiveness once every 15 days (Figure 15).
Figure 15: Frequency of Controls Assessments
© 2008 IT Policy Compliance Group, 19
Source: IT Policy Compliance Group, 2008
- 22. Improving Results for the Legal Custody of Information
In contrast, a majority of firms at the norm are only measuring once every 172 days. Finally, the least mature are
measuring controls effectiveness once every year. Firms with the least loss or theft of customer data and the least
problems with regulatory compliance implement continuous controls assessment programs by assessing the
effectiveness of controls once every 18 to 19 days. The benchmark shows that firms doing well in legal data custody,
regulatory compliance, and data protection are implementing the same action: continuous assessment of controls
effectiveness.
Maturity Impacts Legal Custody, Compliance, and Data Protection
Perhaps the most striking finding from the benchmark is the relationship between the maturity of practices between legal
holds on data, and how well firms perform for regulatory compliance, and the protection of sensitive customer data. Firms
that excel at the Legal Custody of Information are also the same firms that exhibit leadership for regulatory compliance
and the protection of sensitive data (Figure 16).
Ninety-seven percent of firms with the most mature profiles for handling legal holds on data are the exact same
organizations with two or fewer regulatory compliance deficiencies that must be corrected to pass audit. Similarly, 93
percent of these leading firms are the exact same organizations with two or fewer losses of sensitive data each year.
Figure 16: Regulatory Compliance, Data Protection, and Legal Custody of Information
Source: IT Policy Compliance Group, 2008
The skew in these findings clearly show that the maturity of practices for regulatory compliance, data protection, and legal
practices within organizations are aligned with outcomes, and that the firms with more mature practices are repurposing
practices around controls for regulatory compliance, as well as controls for how sensitive data is handled, accessed,
protected, preserved, searched, and produced for multiple initiatives.
Who Should Improve the Maturity of Practices for Legal Hold
The external pressures for most organizations to find protect, and produce data in response to a legal request for data
include:
• Legal, government, and regulatory mandates
• Findings and recommendations from auditors
• Public reputation
• Evolving case law
In an age where information is paramount to success and legal requests to support litigation now routinely involve
electronically stored information, pragmatic management of business, financial, and market risk dictates the need to
improve existing practices.
© 2008 IT Policy Compliance Group, 20
- 23. Improving Results for the Legal Custody of
Information
Aside from the financial burden of legal settlements and expenses, larger enterprises not improving better practices for
legal data holds may experience other consequences not measured by this benchmark, including fines and penalties,
elevated reputational risk, and more difficulty with customer and partner expectations. The external pressures for
improving the practices for legal data hold unfortunately indicate that experience is currently the best teacher (Figure 17).
Figure 17: Pressures to Take Action
Source: IT Policy Compliance Group, 2008
Larger enterprises are primarily responding to legal and government findings, followed by claims settlements, public
reputation, and direction from senior managers. What distinguishes the higher response rate among large enterprise
includes finding and recommendations from auditors, and worry about public and brand reputation.
The primary internal pressures to respond and take action include:
• Direction from senior managers
• Prior experience with legal requests for data
• The cost of claims settlements and financial exposure.
Taking Action to Improve Results
In some circumstances, the primary course of action is going to be spending more money to improve legal services. But, after
improving legal counsel the research shows it is essential to improve the maturity of practices for handling legal holds for
information.
The results of the research clearly show that for midsize and large enterprises, it makes
The benchmark clearly shows that
sense to:
for all large enterprises, and many
Strive for practice maturity leadership, for legal data hold and custody midsize firms, improving the
maturity of practices for legal data
Take the strategic actions shown to improve results holds will pay off.
Implement the actions and practices within IT that are shown to improve the
ability to find, protect, and produce data subject to legal hold
Improve the maturity of organizational and IT practices
Implement the technologies shown to improve results
Treat the legal hold of data like other compliance activities © 2008 IT Policy Compliance Group, 21
- 24. Improving Results for the Legal Custody of Information
Small businesses
Small businesses are not suffering from a large number of legal requests or summons related to information, and the rate
of spend on legal data hold among small businesses is much less than all other organizations. As they say: “the pickings
are slim”, among small businesses.
Unless the firm has specific experience with large numbers of legal holds on information, or faces severe regulatory and
legal penalties, there is no indication of huge financial pain or financial reward among most small business, to justify large
spending to improve the maturity of practices for legal data custody, at this time.
Midsize and large enterprises
The benchmark clearly shows that for all large enterprises and many midsize organizations, improving the maturity of
practices for legal data custody will pay off, with obvious financial benefits that include:
• Significant reductions in overall expenses, by factors of 4 to more than 13
• Lower financial settlement expenses
• Lower expenses for legal services
• Lower expenses to find and produce information subject to legal hold
• Lower expenses to preserve and protect data subject to legal hold
Not quantified by the benchmark is the opportunity-cost for a wide variety of people involved with and responding to legal
holds on information, especially among senior managers. Presumably, more mature practices would result in reductions
in the amount of time senior managers are spending on this activity: allowing these people to focus on more fruitful
activities.
The non-financial benefits of improving the maturity of practices for legal requests for information — improved brand
equity, trust, and customer retention — are beyond the results quantified by this research. For most, these could prove to
be far more beneficial than the reduction of costs for legal settlements and internal expenses that will occur by improving
the practices for legal custody of information.
© 2008 IT Policy Compliance Group, 22
- 25. Improving Results for the Legal Custody of
Information
About the Research
Topics researched by the IT Policy Compliance Group (IT PCG) benchmarks are part of an ongoing research calendar established by
input from supporting members, advisory members, and findings compiled from recent research.
The most recent benchmark covering the Legal Custody of Information, which is the basis for this report, was conducted between
October and November 2007 with 235 qualifying respondents in different organizations. The error for this benchmark research is plus
or minus 6 percent. The majority of the organizations (90 percent) participating in this benchmark are located in the United States.
The other 10 percent come from other countries, including Australia, Brazil, Canada, France, Germany, Ireland, Japan, the
Netherlands, Poland, Singapore, Spain, the United Arab Emirates, and the United Kingdom among others. In addition to specific
tracking questions common to each benchmark, the research is designed to discover answers to specific topics. The primary topic of
the most recent benchmark was the experience of organizations concerning legal holds for records and data.
Industries represented
A wide range of industries participated in the benchmark including advertising; aerospace; agriculture; automotive; banking;
chemicals; computer equipment and peripherals; computer software and services; construction, architecture, and engineering
services; consumer electronics, consumer packaged goods; distribution, education, financial, and accounting services; food and
beverage services, general business and repair services; government—public administration; government—defense and
intelligence; health, medical, and dental services; insurance, legal services; management, scientific, and consulting services;
manufacturing; medical devices; metals and metal products; mining, oil, and gas; pharmaceuticals; publishing, media, and
entertainment; real estate, rental and leasing services; retail trade; telecommunication services; transportation and warehousing;
travel, accommodation, and hospitality services; and utilities and wholesale trade. Manufacturing accounted for 13 percent of
participating organizations. All other industries accounted for less than 10 percent of the benchmark sample.
Revenue of participating organizations
Thirty-five percent of the organizations participating in the benchmark have annual revenues, assets under management, or budgets
that are less than $50 million. Another 23 percent have annual revenues, assets under management, or budgets that are between $50
million and $999 million. The remaining 41 percent have annual revenues, assets under management, or budgets that are $1 billion or
more.
Number of people employed by participating organizations
Thirty-six percent of the participating organizations employ fewer than 250 people. Twenty-two percent employ between 250 and
2,499 people. The remaining 42 percent employ 2,500 or more people.
Job titles of participants
Thirty-two percent of the participants in the benchmark are senior managers (CEO, CFO, CIO, etc.), 14 percent are vice presidents, 25
percent are managers or directors, 27 percent are staff, and 2 percent are internal consultants.
Roles of participants
Twenty-nine percent of the participants work in IT; another 29 percent work in finance and internal controls; 14 percent work in
customer service; 9 percent work in legal and compliance; 7 percent work in product design and development; 7 percent work in
sales and marketing; and the remaining 5 percent are distributed across other job functions, including manufacturing, procurement,
purchasing, and logistics.
© 2008 IT Policy Compliance Group, 23
- 26. Improving Results for the Legal Custody of Information
About IT Policy Compliance Group
The IT Policy Compliance Group is dedicated to promoting the development of research and information that will help organizations
meet their policy and regulatory compliance goals. It focuses on assisting member organizations in improving results based on
fact-based benchmarks.
The IT Policy Compliance Group Web site at www.itpolicycompliance.com features content created by leading experts in the world of
compliance and published reports containing primary research. Research and benchmarks sponsored by the Group produce
fact-based insight and recommendations about what is working and why.
The results of Group-sponsored research are designed to help legal, financial, internal controls, IT audit, IT security, and compliance
professionals to:
• Benchmark IT policy compliance efforts against peers and best-in-class performers
• Identify key drivers, challenges and responses to implement successful IT policy and compliance initiatives
• Determine the applicability and use of automation tools to assist, streamline and improve results
• Identify best practices for IT policy and compliance programs
The Group relies upon its supporting members, advisory members, and significant benchmark findings to drive its research and
editorial calendars.
© 2008 IT Policy Compliance Group, 24
- 27. Improving Results for the Legal Custody of Information
IT Policy Compliance Group Supporters
Symantec Corporation The Institute of Internal Information Systems Audit and
Auditors Control Association
20330 Stevens Creek Boulevard 247 Maitland Avenue 3701 Algonquin Road, Suite 1010
Cupertino, CA 95014 Altamonte Springs, FL 32701 Rolling Meadows, IL 60008
+1 (408) 517 8000 +1 (407) 937 1100 +1 (847) 253 1545
www.symantec.com www.theiia.org www.isaca.org
info@symantec.com iia@theiia.org info@isaca.org
Computer Security Institute Protiviti IT Governance Institute
600 Harrison Street 1290 Avenue of the 3701 Algonquin Road, Suite 1010
Americas, 5th Floor
San Francisco, CA 94107 Rolling Meadows, IL 60008
+1 (415) 947 6320 New York, New York 10104 +1 (847) 660 5600
www.gocsi.com +1 (212) 603 8300 www.itgi.org
csi@cmp.com www.protiviti.com info@itgi.org
info@protiviti.com
© 2008 IT Policy Compliance Group, 25
- 30. Founded in 2005, the IT Policy Compliance Group conducts
benchmarks that are focused on delivering fact-based guidance
on the steps that can be taken to improve results. Benchmark
results are reported through www.itpolicycompliance.com for the
benefit of members.
IT Policy Compliance Group
Contact:
Managing Director, Jim Hurley
Telephone: +1 (216) 321 7864
jhurley@itpolicycompliance.com
www.itpolicycompliance.com
August 2008
The information contained in this publication has been obtained from sources that the IT Policy Compliance Group believes to be reliable, but is not
guaranteed. Research publications reflect current conditions that are subject to change without notice.
Copyright © 2008 IT Policy Compliance Group. Names and logos may be trademarks of their respective owners.
All rights reserved. 8/08 14524678