Keeping Clean

Mike Karp, Senior Analyst at Enterprise Management Associates, outlines the difficulties ahead.

There are a number of challenges facing those involved in e-discovery, and the problem in one sense is emblematic of all the problems associated with storage – it’s very easy to store stuff, it’s just not easy to store data in a well-managed fashion. And clearly, as the amount of data of any sort grows, the problem gets worse and worse.

One of the issues is the need to discover and provide data to anyone involved in a discovery exercise in the same format as that in which it’s stored. A decade ago, there was a tremendous advantage to having lots of data because companies could respond to discovery requirements in one of two ways: they could provide the minimum amount of data that was needed (which was actually pretty stupid); or they could provide everything, and the sheer weight of the data often made it impossible for anybody to discover what they were looking at.

The new federal e-discovery regulations have changed all that, but what’s interesting here is that with very few exceptions, smaller companies are held to the same standards as larger companies, placing them at something of a disadvantage because they lack the corporate infrastructure to support an office of compliance. Up until not too long ago, you sometimes had months to provide the required information (if in fact, you ever wound up delivering it at all). Now, you default into a position of non-compliance if you don’t get the required information delivered in the required format within the time span allocated – the standard is that you’ve got to get things done in a couple of days. So it’s an extremely challenging situation for companies large and small.

In response, many large companies find it appropriate to build their own compliance office, but there’s also been a rise of service providers addressing this specific issue. The result is that even companies that are fairly small and can’t support the big compliance guidelines for internal governance and regulatory guidelines can hook up with a service bureau. This is very similar in one sense to the old storage service provider model that proved so popular in the late 1990s.

What is different to 10 years ago is that there is a really significant value-add with these service providers. They’re no longer just offering storage; they’re offering storage with the capability of indexing all the necessary information to a fairly broad client list. And it’s not only an understanding of the client’s data that they are able to provide; they are also able to do what many companies are really shooting for – provide a list of the appropriate industry regulations that apply to each company. It takes some of the worry out of the discovery mechanism because companies now have a list of policies that determine how they classify data to make it more discoverable.

Up until now, this has been a real headache. The fact that there are conflicting regulations telling companies to destroy some documents while preserving others is really a prickly issue with all the companies that I’ve spoken to. It’s relatively easy to come up with a coherent policy for your electronically stored information once you get appropriate guidance from your legal department; what’s more challenging, however, is coherently and consistently applying that policy. Most of the major messaging systems keep everything, and they keep it everywhere, and most regulations will be applied to the data wherever it resides. The problem is that even once you understand the regulation, it’s very hard to make sure that it’s being applied in the branch office in some small town in Iowa in the same way it’s being applied in the corporate office in Philadelphia.

I think the consistency issue is something that companies of all sizes are having to address, and I think many of them struggle with it because the data appears in both electronic form and also hard copy. That doesn’t make it more difficult to discover the data, but it makes it more difficult to discover the second order effects of that data. You know what the data is, but as it federates throughout a large organization, it becomes increasingly difficult to track who accesses and who should have access to it, particularly when it goes offline and becomes hard copy.

In terms of addressing these challenges, the issue has everything to do with the way policies are defined and managed, and the definition of the policy itself has to be done in close partnership with the corporate legal department or the legal department at the service provider you are working with. There are also implementation issues, because the technology in this space is, to a large degree, still something of a work in progress. It’s about understanding and controlling the way all transactions are journaled, and with simplifying the way data is stored upfront. A particularly useful technology that can be applied here is the concept of deduplication, where you get rid of the hundreds of copies of each document so you only need to track one. That is a technology that makes a contribution to almost every aspect of storage.

Many companies are working proactively with e-discovery vendors to get a handle on their data so they can meet regulatory requirements, and I think it’s important to understand that the per diem cost for responding to an e-discovery demand can be tremendously expensive.

In addition to the cost issue, however, there are also additional business benefits: you have the very practical issue of being compliant, but also the second order effect that people are going to sleep better if they know they don’t have to trawl through three terabytes of data to answer an e-discovery requirement. In terms of both compliance and storage management, the immediate value is that it forces you to impose every possible efficiency you can on all aspects of your storage efforts. In this respect, the streamlining aspect mentioned earlier is a major benefit.

It also shows the limitations of a TCO approach because there are benefits here that wouldn’t necessarily shake out of a TCO analysis. For example, if you streamline you have an opportunity to stop buying additional capacity or to get rid of a lot of storage or to put it offline for a while. You also have an opportunity to engage with fewer management personnel, because there’s a more manageable environment with less raw data but the same amount of information. That, by definition, becomes more manageable.

Mike Karp has spent over 20 years in storage, systems management and telecommunications. Having worked for both Fortune 500 and start-up companies, he has extensive tactical and strategic experience in business development, strategic alliance and channel programs, marketing, and industry research and analysis. Mike’s focus at EMA is storage, storage management and the methodology that brings these technologies into the marketplace.

Preparing for e-discovery

Open communication with the legal team
Lawyers need to help make decisions in a number of critical areas, such as whether it’s appropriate to store document metadata long-term, whether data can be archived in something other than its native format, who should be trained to testify in court about IT practices of the organization, and what the triggers are for holds or data collection. Just as security teams must work closely with auditors for regulatory compliance, it’s now time to build ties with the legal group.

Create policies and procedures for discovery
It’s easy to recommend – and not so easy to implement – but in the end, e-discovery means establishing policies and procedures, documenting them and building systems that support those policies. One of the first questions that courts will ask is: “What are your policies?” Every organization needs a good answer. Policies should include data retention, holds, information integrity and user education.

Don’t save if you don’t have to
Only essential business information need be stored and made available for discovery purposes, therefore part of the e-discovery project should be an assessment of what is stored across the organization. Is it all satisfying a business requirement, contractual edict or regulatory mandate? If the answer is no, then retention of the information might not only be unnecessary but also unduly risky.