eDiscovery Risk & Audit

Scott Shinners and John Vyhlidal ConAgra Foods Inc

Objectives

Overview of the eDiscovery landscape Discuss the risks related to the area of eDiscovery Overview of best practice strategies for dealing with eDiscovery risks Describe the related information technology management issues Discuss the development of the eDiscovery Audit Program

Content

Background Risks Management Processes and Controls Audit Program Debrief Sources

Background
Every year enterprises collect, process and accumulate a snowballing amount of data from an ever-expanding set of internal and external sources
According to a recent estimate by market researcher IDC, The expanding digital universe reaching 1.8 trillion gigabytes will drive demand for cloud-friendly information infrastructure and real-time analytics for "big data" In a 2010 study Gartner showed that data growth was one of the top three challenges for data center managers at 47 percent of large enterprises

This amount of data holds abundant potential to provide guidance for decision making in many areas of the enterprise Most of the data is relevant and necessary to an organization, and so collecting less data is not a viable option Data can however constitute several risks to the organization if not properly managed we will focus on litigation and regulatory risk

Background
Electronic discovery (eDiscovery) is pertinent to criminal or civil litigation and deals with the exchange of information in electronic format
Electronically stored information (ESI) All other forms of information (digital or print) Digital forensics analysis for evidential recovery

Electronic discovery was the subject of amendments to the Federal Rules of Civil Procedure (FRCP), effective December 1, 2006
States have copied these e-discovery rules into their own requirements Effectively forced civil litigants into a compliance mode Impacts both the proper retention and management of ESI Response to discovery and day-to-day data management impact Improper handling could lead to adverse inference, summary judgment, or sanctions Attorneys can be brought before the bar and risk their livelihood

Background
Discovery
The process of identifying, locating, securing and producing information and materials for the purpose of obtaining evidence for utilization in the legal process Additionally the process of reviewing all materials that may be potentially relevant to the issues at hand and/or that may need to be disclosed to other parties, and of evaluating evidence to prove or disprove facts, theories or allegations Common discovery methods include interrogatories, requests for productions of documents and depositions

What is eDiscovery:
The process of collecting, preparing, reviewing, and producing electronically stored information (ESI) in the context of legal discovery

Background
Organizations have aligned their legal and information technology (IT) functions for day-to-day data management and requests for information related to possible, pending, or actual litigation
IT typically owns data governance and data management, but that is changing Litigation support functions have matured in most organizations e-discovery business processes and software tools are maturing Data archiving and retention practices are catching up Organizations also need solutions for archiving that are both cost effective but are also comprehensive Controls must be put in place to ensure datas accessibility and integrity

Background
What is the definition of electronically stored information (ESI)
Data is identified as relevant by attorneys and placed on legal hold Evidence is then extracted and analyzed using digital forensic procedures, and is usually converted into read-only format for potential use in court ESI is considered different from paper information because of its intangible form, volume, transience and persistence ESI is usually accompanied by metadata that is not found in paper documents and that can play an important part as evidence (e.g., the date and time a document was written could be useful for copyright) The preservation of metadata from electronic documents creates special challenges to prevent spoliation

Background

All types of electronically stored information could be relevant evidence:

Hard copy documents Graphics/charts Business data E-mail Instant messaging chats CAD/CAM files Recorded sessions (video or audio) Images Web sites

Background
Common Issues
The number of different people may be involved (e.g. lawyers for both parties, forensic specialists, IT managers, records managers, etc.)
Potential for miscommunication or ineffective coordination Forensic examination and the use of unusual terminology and acronyms Failure to understand or apply the organizations policies and practices Potential for accidental alteration or destruction of data

Given the complexities of modern litigation and the wide variety of information systems on the market, electronic discovery often requires specialized technology that may be difficult to manage Failure to get expert advice from knowledgeable personnel often leads to additional time and unforeseen costs in acquiring new technology or adapting existing technologies to accommodate the collected data

Background
Legal Defensibility Critical Success Factors
Documentation Accuracy Auditability Reproducibility Collection methods People

Background
Goals For An Effective eDiscovery Program
Ability to provide discovery-requested electronically stored information regardless of the type of content and storage location across the organization Responding to requests for discovery efficiently, effectively and completely Providing required information completely Refraining from providing information not requested

Background
Process
Critical to identify the sources of data that may be needed to formulate the information or to satisfy the request for information Information may need to be mapped to identify the relevant sources of information:
Owner/Custodian Content Format Source Systems/Device/Technology

Preservation process needs to be established so information relevant to current or reasonably anticipated litigation, audit or government investigation is preserved Failure to properly preserve information can negatively affect the outcome of the case and can expose organization to additional sanctions

Risks

Intentional/unintentional removal of records Intentional/unintentional adulteration of records Data security, integrity, and privacy considerations Inability to recover records Providing unnecessary records Providing the wrong records Social media/non-traditional communication channels subject to eDiscovery Losing litigation cases (macro level risk) Fines for non-compliance (macro level risk)

Management Processes and Controls

Management processes using the Electronic Discovery Reference Model Process steps to implement an effective eDiscovery solution Assessing managements processes using a capability maturity model Entity level control practices for effective data management Application and IT general controls for eDiscovery solutions

Management Processes and Controls

Management Processes and Controls

Legal Hold Process
Communications issued to record owners/custodians as a result of current or anticipated litigation, etc. that suspends the normal disposition and processing of records Integral part of the overall preservation process

Management Processes and Controls

Model Legal Response/Legal Hold Process Steps:
Identify Team Identify Sources Identify Locations Manage and Monitor

Legal Records Mgmt. IT Business

Individuals Paper Sources Electronic Sources Email IMs Documents Backups

Equipment Servers Desktops Laptops File Shares PDAs Removable storage Third Parties

Initiate Custodians Incident Legal Hold Notice Tracking Monitoring Enforcement Status Communication Follow-up

Management Processes and Controls

Processing
Capture and preservation of electronic documents Association of collected documents with particular users, owners, custodians Capture and preservation of metadata Establishment of parent-child relationships between source data files Automation of the identification and elimination of redundant and duplicate data Provide programmatic means to suppress material not relevant to the review Unprotect and reveal information within files Maintain defensibility, cost effectiveness and expediency of process

Management Processes and Controls

Production
Production of paper documents Types of ESI comprising the data set for production Appropriate format of documentation Appropriate storage media production Production capabilities and limitations Technical formats Communication of production issues between parties

Management Processes and Controls

Process steps to implement an effective eDiscovery solution:
Step 1: Step 2: Step 3: Step 4: Step 5: Step 6: Step 7: Identify the risk Consider the existing control environment Evaluate the design of current controls as related to e-discovery Identify any gaps Consider the cost/benefit of mitigating existing gaps Select and implement solutions Monitor

Software Options
Gartner classifies software and eDiscovery solutions into the following categories for analysis:
Information governance and archiving tools - using existing e-mail and file archiving, records or content management, with associated litigation hold, preservation, and processing Identification, collection, preservation and processing tools - that have either a workflow-based system for attorneys to track custodian-led collection or a search and information access system for the IT and legal departments to use Analysis tools - for processing, reviewing and analyzing documents, either early case assessment or a later state of review, including features such as document categorization, redaction and mechanisms to mark documents as privileged or in other ways to categorize and process them (includes the attorney review platforms that have been used for 10 or more years by the legal community to perform document review)

Capability Maturity Model

Source:

An EDRM White Paper part of the EDRM White Paper Series September, 2010 Adam Hurwitz, BIA CIO, Business Intelligence Associates, Inc.

Management Processes and Controls

Entity-level controls needed to address risk associated with e-discovery
Policies, procedures and a standard code of conduct can have a significant impact on the enterprises ability to execute a strategy to mitigate the risk Specific IT policies and procedures should be developed to address the risk
May entail developing or modifying existing IT policies on data retention/archiving Appropriate data retention and deletion schedules must be created and maintained Implementation and maintenance of specific technologies IT operations and support for the overall e-discovery process and technology solutions

While these policies may currently exist within the enterprise, they should be reviewed to ensure that e-discovery risk is specifically considered

Management Processes and Controls

Relevant Entity Level Controls
Control Environment
Code of conduct Assignment of Authority and Responsibility Risk assessment

Information and Communication

Policies and procedures Effective coordination across legal, IT, and business operations Training and awareness programs

Monitoring
Data retention and archiving review process Data destruction and deletion review Internal audit assurance

Management Processes and Controls

Application and IT General Controls:
Existing applications and systems
Role-based access restrictions for update to critical data Application security to enforce need to know restrictions Backup and recovery controls Data integrity controls Read-only access IT administrative access Data completeness and integrity Backup and recovery

eDiscovery systems

Audit Program
Policy
Obtain and inspect records retention, legal hold and eDiscovery policies and procedures from Legal and IT Compare IT and Legal polices for completeness and applicability to the current environment Compare policies to industry leading practices to identify potential gaps

Audit Program
Evaluation of management processes to identify relevant data
Data mapping: make sure that management has a way to provide an accurate picture of the companys data Make sure that identification process implicates many types of servers with active and dynamic data (e.g. file servers, collaboration servers, e-mail servers) Make sure management considers interrelated data management systems (e.g. document management systems, financial systems, disaster recovery and backup systems)

Audit Program
Data Retention
Review process for identifying and categorizing data in existing applications as related to the records retention policy
Inspect data stored in a selection of applications as compared to the organizations data retention policy Make sure data is maintained only as required by a written formal data retention policy and that the retention period is consistent with the policy Make sure that data is not deleted prior to the expiration of the data per the relevant section of the policy

Audit Program
Legal Hold Process
Identify population of legal cases identify legal holds Trace from legal holds to communication and approvals Assess the completeness of the data acquired Assess data access requirements for that legal hold are appropriate Test that read-access to the data is limited as appropriate Verify that update-access to the data is prevented

Audit Program
Technology and Data Security
Inspect system settings to determine access to critical systems
Email systems Shared drives, intranet locations, MS SharePoint, etc. Primary databases for relevant business systems Backup databases, backup tapes, or DRP stored data

Inspect system configurations and settings of operating systems and logical security settings used to protect the data Audit users access to the data
Update access Read access (strict need to know basis only) Be careful of IT system administrative access and privileges

Make sure data secured for legal holds is backed up and that periodic processes assess recoverability

Debrief

Provided an overview of the eDiscovery landscape Discussed the risks related to the area of eDiscovery Provided best practice strategies for dealing with eDiscovery risks and related information technology management issues Discussed the development of the eDiscovery Audit Program

Contact Information

Scott M. Shinners Finance Director Internal Audit ConAgra Foods (402) 240 7141 Scott.Shinners@conagrafoods.com