Are the Federal Rules of Civil Procedure industry specific?
The federal rules are not; they apply to all organizations that are subject to litigation -- so really, everyone. There are industry-specific regulations that these VARs will want to be aware of, such as the Securities and Exchange Commission (SEC) rules for retaining laptop communications in the financial services industry, specifically for brokers and dealers. Anyone who is doing a value-added resale on an email archiving system is going to have to be intimately familiar with how the solution is going to be involved with the federal rules and how it's going to live with compliance. Most companies look at the rules as yet another type of compliance regulation, even though they aren't compliance issues per say; you don't get compliant with federal rules. Are the regulations becoming more stringent? It sounds like companies used to be able to say they didn't have the resources to meet these regulations, but now the courts are not as forgiving.
Absolutely. The rules apply to everyone. The courts are saying it is possible to manage this information and ignorance just won't fly. There are going to be occasions where companies can go look at everything they have and say, 'It's going to cost me 20 billion dollars to get this information,' and they may be able to argue that it's an undue burden or that it's not part of the "reasonable efforts" that the rules talk about. But the courts are going to look at that in a very skeptical way. A small business is probably going to spend just as much to have someone come in and tell them it's going to cost too much, as they would to take care of it. The reality is that if they don't get their hands around this now, it's going to make the problem worse. If I were a VAR selling a solution, I would definitely be putting that message out there. The unfortunate reality for anyone out there selling is that companies don't do anything around this; they feel like there's no business case for it until they've already felt the pain. How can a VAR or reseller drive the point home?
We're working on trying to convince organizations that they need to take this more seriously. I think the key is to not stick the budget with the IT department. Any IT department is going to say 'It's not my job on the line, if we get sued and lose the case. That is legal's problem. If legal is not going to pay for it, we don't care.' But it is falling to IT to pay for it, because it technically is an IT issue -- there is a technology spend involved. Any time an organization says take this out of the IT budget, IT is going to spend as little as possible. That's going to make the problem worse. Say you go out and get a tool to take care of this and the IT department gets the wrong tool. Now you're talking about cleaning up an even bigger problem a year or two down the road.
The best advice we can give to firms is that this is a big change management issue. They need to work very hard to get legal involved and actually raise this issue to the highest executive level. It's not a question of budget per say, or IT saying, 'We can spend a million dollars on technology this year. We wanted to get a BPM engine to help our business to create revenue.' Clearly companies look at creating revenue as a better opportunity than avoiding costs. They need to really get legal, business and IT working together (we talk about formalizing that relationship) and get the budget out of IT, or at least get it to a point where it's a shared cost and everyone's putting into it.Could there be any channel opportunities in 'formalizing these relationships,' perhaps through BPM?
Where we see this happen is in the governance risk and compliance platforms. Those are typically supplied by Oracle, SAP, IBM and EMC. Those GRC platforms are made up of a combination of enterprise resource planning (ERP) systems and business process management (BPM) functionality. Even though there are GRC platforms that are offered by large vendors, there is also an opportunity for VARs to put together different functionality that would help them put a dashboard on the process, so compliance people can see how things are going, can gauge risks and see red light, green light, yellow light, and manage the process that way. That can also help to formalize the roles and responsibilities within the organization around IT, or legal.
What we've seen is that companies have either involved their records management group to do an internal consulting role and liaison between, IT, business and legal, or they have created a specific group and they are calling it something like information management; that department's job is to be the change agent: Understand how the business uses information and how compliance and litigation affect retaining and using information. They are also versed in IT, so they can talk with IT about their requirements for solutions. This is an interesting opportunity for providers to sell into whatever kind of solution they can put together for this cross-functional group.How can resellers help customers maintain discoverable data in its native format?
The data format piece means that you would have to be able to produce an Excel file in Excel, with all its metadata intact. A VAR could provide a solution that takes what the organization currently has and ties together the ability to make the content immutable -- meaning make sure the metadata doesn't change if someone were to open a document in another format and review it. A consultant could provide an environment where the organization could run a search, collect potentially relevant data and review it without changing any of the metadata or file, maintaining the chain of custody. Can resellers help customers determine what data to keep and not to keep?
There is a big opportunity in the autoclassification world that has not yet taken off: How to autoclassify what a document is and where it belongs and where to retain it based on that auto classification. Most things are classified and retained manually today. There are certainly opportunities for resellers to put together archiving capabilities and search capabilities with autoclassification in records management functionality. They could create solutions that enable an organization to proactively dispose of or retain information based on what it means, as well as being able to put a litigation hold and stop that disruption if that information does become relevant to litigation. It is a difficult thing for companies to manage, because they have to figure out how to do it: by keyword, by metadata, by custodian. Any possible way a VAR could make that process easier would be a good solution. How are regulations affecting email archiving?
The regulations are driving a lot of companies to go out and buy email archiving products, so they can reduce the costs of discovery on their email and be more proactive about not letting people put .PFT files on their local machine and forcing them to put files into the archives so they aren't spending a lot of time doing the forensic discovery. The regulations allow for certain information, such as social security numbers, to be masked. Is there a channel opportunity there?
There's technology that will identify any type of documents that has private information, or anything that should be held confidential. That technology would be a good fit to be put together with something like archiving or content management, so that organizations can put some rules around what you do with content that has private information. Searching and indexing technology can identify data like social security numbers or credit card numbers. The question is what do you want to do with that information once it's found? That would involve security technology. Since data is dynamic and can be changed inadvertently -- sometimes by merely turning a computer on or off – what challenge would it present in a litigation case?
Once a litigation hold is put on a piece of data, it is up to the company to track and audit and make sure nothing changes, because if data does change they run the risk of exfoliation and the fines that come with the exfoliation of data. If the data changed and the company can't audit and track that nothing material changed, they could potentially be in trouble.
To protect against that, run algorithms to prove that the document has not changed. If it has changed they have to create another document. What they normally do is remove anything that is potentially related to its own matter repository and then manage all that with hash algorithms that prove that it hasn't changed.
This is the big thing around backing up documents on WORM disc and making sure they become read-only, can't be changed and are immutable. The WORM storage device has become very important in the storage discovery context.Where do you suggest resellers and systems integrators get information on the new FRCP regulations?
The best place is probably the Sedona Conference Web site. The Sedona conference is made up of technology vendors and consultants in the industry that look at the Federal Rules of Civil Procedure and think about what they mean in terms of implementation for companies. It is more vendor driven -- because they have to create the solutions. I wouldn't just go with the vendor; it's good to get an objective voice, too. But any kind of VAR needs to work with the vendor to understand what's your value proposition visa vie the federal rules.