In the December 2014 issue of Metropolitan Corporate Counsel, Jake Frazier called for companies to recognize information governance as a must-have tool for the defensible disposal of data. He revisits the topic, sharing examples of FTI’s solutions for its clients. His remarks have been edited for length and style.
MCC: A year ago we interviewed you when you launched the new information governance and compliance services at FTI Technology. What was the industry response?
Frazier: We’re pleased that we’ve had an overwhelmingly positive response. We’ve grown faster than we had anticipated in our best-case scenarios. That comes with different kinds of challenges, of course, but we’ve added quality professionals to our ranks so we’ve been able to keep up with the client demand. A lot of corporations have reached out to us proactively, including one general counsel after reading the Metropolitan Corporate Counsel article. He said, “You know, I’m not 100 percent sure what information governance is, but in reading the article, I can tell that I need it, so please come help.” They had a problem with backup tapes, throwing more and more of them on the pile every month and just kind of drowning in data, so when e-discovery popped up, it was a particular problem. That’s something that resonated with him from the article, and we were able to help them.
MCC: Can you tell our readers why or how your information governance services are different from other offerings?
Frazier: Our clients tell us that they like to work with us in the IG space because, to paraphrase one client, we “keep it real.” I asked what they meant, and it is that we get our hands dirty, roll up our sleeves and work with data. We actually do defensible disposal of backup tapes, rather than simply issue opinion documents saying what you should do with backup tapes. We actually offer the solution. That’s really been our differentiator. We don’t just do a bunch of interviews and create a document that tells you our recommendations, but we also offer managed services to fix the nasty problems.
Another example is a top 5 investment bank that had over two petabytes of data spread across their file shares. They needed help sorting out how much risk was in that data. We put a team on-site to index and classify data containing personally identifiable information (PII). We also worked with them to put their voice recordings and other data in order with compliance obligations. The hands-on approach is a real difference. We do the strategy, but we also get pretty technical with our clients as well.
MCC: Can you give us any other case studies of the work you’ve done?
Frazier: As another example, a client was having problems managing their legal holds internally. They were using spreadsheets and their email system to try and notify all the different custodians who might have relevant data subject to a legal hold. We came in and designed a defensible process and found a software solution to meet their exact need, a software that we’re now hosting in our data center on their behalf. We’re offering a service that allows them to conduct their legal holds in an automated way. It’s hands-on solving the problem for them, a mixture of strategy and tactical value.
MCC: What benefits can companies expect with these projects?
Frazier: We pride ourselves on baking the benefits into the engagement. When clients select FTI Technology for their information governance engagement, they’re actually buying the outcome rather than just opinions or advice. What does that mean? We put specifics into the plan and contract, like, “We will index x amount of terabytes of data,” or “We will provide an online portal for you to manage your legal holds.” The client doesn’t have to take the step-by-step approach of first giving us an assessment of how bad the problem is, then providing us with a document that tells us how bad the problem is, before we’ll start looking at potential solutions. We’re actually able to say in our contracts, “We’ll come in. We’ll assess. We’ll find the problems, and then we’ll also solve those problems.” Those are just deliverables in the contract. It gives clients the certainty that they’re investing in something that’s actually going to solve their problem.
MCC: What are some of the common information governance challenges your clients are talking to you about?
Frazier: There are usually two categories. One is the top down problem of how to organize around this problem. How to create a program? Who should run the program? Who should be on the committee, and how often should they meet? What should they talk about? The second is the tactical – the symptoms of that bigger problem I mentioned.
The most common ones tend to be around managing legal holds and preservation, managing archives, scanning networks for sensitive and critical information, and remediating any of those instances. We’re also contacted often because of backup tapes and the problem of defensibly deleting ever-growing backup-tape stores. Audio files and other new forms of information, like data in the cloud, are other common challenges that are really symptoms of the larger strategic problem of how can we get our information under control.
MCC: Tell us, how does information governance impact e-discovery, and for your clients, has one helped the other?
Frazier: I’ll give you an example of a client with a growing store of backup tapes, since this is an issue affecting many companies. They have legal holds that come in pretty quickly. They decide to stop recycling their backup tapes in order to make sure they have a fallback, and all of a sudden, five, six, seven, eight years go by. The recycling of backups hasn’t turned back on because they’ve been using these backup tapes as a fallback. The amount of tapes increases every month, so it’s not uncommon to have clients with anywhere from thousands to hundreds of thousands of backup tapes, representing tremendous risk and cost. An IG project can determine the legal holds the company is actually subject to and defensively dispose of the tapes that don’t have data on them that could be subject to those holds.
The next time that an e-discovery case rolls around that you lose an argument and need to go to the backup tapes, you have much fewer backup tapes to go to. Therefore the cost and the time to comply and meet deadlines in e-discovery are drastically reduced. That’s one of the clearest ways that we show linkage between information governance and e-discovery.
MCC: When we spoke last year, the sense was that many perceive information governance as something that’s nice to do rather than a must-do project. Is this still the case?
Frazier: I continue to see a shift toward IG being a must-do initiative. It stems from the problem that a lot of corporations have taken the approach of throwing more disks or more storage at the problem. If you think the fundamental problem is that data is growing, and they’re accumulating large amounts of data, then adding more storage would seemingly solve the problem. What’s happened, though, is budgets aren’t growing, so often the CIO, CFO, COO are now faced with the problem of significantly increased data costs for storage, security and data privacy obligations. That’s causing them to say, “Solve this problem. Dispose of some of this data or otherwise we’re not going to be able to keep the lights on.” As you can imagine, that changes the conversation from “nice to have” to a “need to have” pretty quickly.
MCC: What are some of the common signs that a company needs to examine its information governance program?
Frazier: One is runaway e-discovery costs. If e-discovery is costing more and more every year, that’s a sure sign that data is growing and there’s no offsetting force to drive that cost down. Some of those offsetting forces can be doing e-discovery better from an in-house perspective – defensible disposal, classification of data, etc. The e-discovery pain point is usually a good indicator of information governance needs.
Another common sign, and certainly the newest and most pressing for many companies, is the inability to know with certainty where sensitive data resides. This could be information that’s subject to data privacy regulations, such as personal health files or PII, like credit card information, account numbers, Social Security Numbers, etc. This type of data carries a special risk because of various statutory and data protection laws and regulations that levy penalties and fines. If a company can’t definitively state that they’re sure they have that information under lock and key, that’s another key sign that it’s time to take a look. Many of our engagements are to help clients figure out where sensitive information resides and make sure that it’s under lock and key.
MCC: What advice would you give companies waiting to begin an information governance project?
Frazier: Usually the companies that are in this space are in a situation where perfection has become the enemy of good. By that I mean they’re looking for the all-encompassing program and technology that will solve all the problems. The problem is, time is going by, and the problems are getting worse.
My advice is usually to simply talk to the key stakeholders – legal records and compliance, IT, and security – and ask them what their pain points are. They’ll give their top one, two or three pain points, and more than likely, from that list you’ll have one or two tactical IG projects that you can get started on quickly. If you can produce good results quickly, this can help build momentum. Once you make a dent in the problem and you can show some results in either cost savings or risk reduction, then you’ve got something to build on. The key is to get started and not let perfection be the enemy of good.
Jake Frazier, A Houston-based senior managing director of information governance and compliance at FTI Consulting. email@example.com