ESI and Data Governance: Part 1

The Basics

Enterprises of all sizes store troves of information in many different Explore-the-Dataforms and formats about their employees — and these data pools will undoubtedly multiply over the coming years.  Employment lawyers will be required to interact with technical personnel to assess preservation and if necessary, supervise production.

So, what’s an employment lawyer to do?  Turn to data governance!

Let’s first look at some basics first, and then, in my next post, we will turn to the heart of this area: data governance for employment lawyers.

  • What counts as Electronically Stored Information?   Information about your employees (along with all the other data your company holds) is called Electronically Stored Information (ESI) by the F.R.Civ.P and is broadly discoverable.  I won’t waste your time describing ESI any further or defending the proposition that courts interpret ESI very liberally.  They do (see e.g., Small v. Univ. Med. Ctr. of S. Nev., Case No.: 2:13-cv-00298-APG-PAL, 2014 U.S. Dist. LEXIS 114406 (D. Nev. Aug. 18, 2014)).
  • Variations on a theme:  ESI.  While it is well known that ESI can be found in many forms, its important to recognize that those forms are multiplying with serious frequency: Beyond documents, databases, and emails, clearly ESI includes work-related texts on a personal phone, in metadata, on apps, created by apps and on your or party servers, in logs, stored on a personal computer at home or on a local drive at work. Simply, such data stores will only be increasing as new technologies enter the workplace.
  • Discovery and ESI. It is important to point out that Rule 26(b)(2)(B) limits discovery on ESI from sources not “reasonably accessible,” and provides a court discretion to order discovery and specify cost-shifting to obtain that discovery.    For much more on discovery of ESI, take a look at the materials prepared by (the oft-cited) Sedona Conference.  See here and here.

In the Next post, ESI and Data Governance.

  • Data Governance.  Data governance is the system of rules and procedure (or lack thereof) concerning how an enterprise’s ESI is stored, managed, used, stored, merged, erased, and retrieved.  According to the Data Governance Institute, data governance is a “system of decision rights and accountabilities for information-related processes, executed according to agreed-upon models which describe who can take what actions with what information, and when, under what circumstances, using what methods.”  While data governance is a term not usually directly associated with employment lawyers, it should be.  (After all, one of the core cases in the e-discovery world was an employment discrimination case) .

In short, when one considers the breadth of ESI and its discoverability, solid data governance is essential to employment-related risk management

So, what is an employment lawyer to do about data governance?

The first step, which we will address here, is a big one: fully assessing the situation.  Some key questions* can help frame your investigation:

  1. Do you have a data “governor?” In other words, is someone in charge of data governance? Is there/can there/should there be a cross-functional team that deals with data issues?  Are you or other lawyers on that team or connected to the process?
  2. Have you surveyed your situation? Do you know what data is where, what retention policies are in place and who is in charge of deciding upon and executing those policies?
  3. Do you have a data governance strategy, even an informal one?
  4. Do you know the probability of risk? How has that data been used (or abused) in the past?  What is your litigation and discovery risk?
  5. How are data emergencies (breaches, discovery requests) and data security managed? Who decides?  Are litigation holds designed to work across technologies, such as ensuring data preservation of text messages?
  6. How will you assess the true costs of e-discovery? What is, in good faith, “reasonably accessible” and what is not?
  7. Are employees properly educated in good data stewardship and practices, including how and when to mark documents as privileged?
  8. Are you monitoring the efficacy of your controls?
  9. Is someone able to report on data governance and its efficacy as an F.R.Civ.P 30(b)(6) witness?
  10. How will you ensure that your data governance plan is up-to-date and is encompassing new and emerging technologies?  For instance, as encryption becomes more “popular” (Google and Apple have released phones will “full device” encryption) what rules will issue to employees?
  11. How would you measure a “successful” data governance plan?

In short, you need to Assess, Plan and regularly Reassess.

More on this topic in the coming weeks.

*- Citations and very interesting reads: my questions these questions are adopted from, but do not exactly mirror, IBM’s Data Governance Blueprint: Leveraging Best Practices and Proven Technologies (pdf) and Gartner’s How to Measure Success with Information Governance?.  See also the American Health Information Management Association’s E- Discovery Litigation and Regulatory Investigation Response Planning: Crucial Components of Your Organization’s Information and Data Governance Processes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s