Electronic discovery (also called e-discovery) refers to any process in which electronic data is sought, located, secured, and searched with the intent of using it as evidence in a civil or criminal legal case. Discovery of electronic records has become a concern in litigation and government and regulatory investigations. Having policies in place to manage and store this electronic data is a key factor in risk management.

Does your organization have a records retention policy? Many times all the key players in an organization do not come together to create a policy that all employees are aware of and adhere to. Risk managers need input from executives as to who may be implicated in particular legal matters and IT leaders need to know where electronic documents are stored, and where paper documents are located.

Defining a Policy

Restrict what employees can put in writing. Employees should be trained on sending electronic communication inside as well as outside of the organization to ensure that only necessary information is being transmitted. Creation of electronic information is often made without concern as to formality or an understanding that it can be later discovered or taken out of context. Having clear cut guidelines will help to manage the volume and content contained in the data.

Data that is stored should be classified using a strategy called records and information management (RIM). RIM is the practice of controlling the most important records of an organization throughout their life cycle. This includes identifying, storing, archiving, preserving, retrieving, tracking and destroying records. The objectives of a data retention policy are to keep important information for future use or reference, to organize information so it can be searched and accessed at a later date and to dispose of information that is no longer needed. Data that is no longer useful to the business or required by law should be deleted so that it does not come back to haunt a company. Different types of data needs to be retained for different lengths of time.  A data-retention policy often follows a retention schedule that lists every possible type of information that the company could have in its stores and the required retention period. There should also be special instructions for archiving and for the deletion of data, once the time limit has been exceeded. The policy is also likely to include procedures for retaining information when litigation is under way.

Providing clear guidelines when it comes to electronic communications, organization of data and retention procedures will expedite the eDiscovery response which will in turn decrease costs and delays. Many companies are reluctant to put an eDiscovery risk management plan in place due to the lack of time and training that is needed to create an effective plan. But waiting for the inevitable will not make things easier. Having an action plan in place for managing the risk can make all the difference in the result.