Litigation and e-discovery

Litigation is one of the riskiest and costliest events a business can encounter. Although insurance agencies might like to think it improbable, the truth is that agencies encounter suits commonly enough to allocate a considerable portion of annual budgets to the effect. In the recently released “7th Annual Litigation Trends & Report” by Fulbright and Jaworski (www.fulbright.com), nearly 40 percent of industry sector respondents were insurance agencies that reported having more than 20 suits commenced against them. The study accounts for 403 participants interviewed across multiple industries.

When such suits are filed, e-discovery quickly follows. E-mail, corporate records, internal memos and even social media activity become evidence of an organization's activities and are discoverable. The intrusiveness and breadth of e-discovery can impose both direct costs on the organization, as well as collateral costs in loss of time and efficiency.

The same report cited above found that 50 percent of U.S. companies surveyed spent $1 million or more on annual litigation expenditures this past year. Wouldn't it make sense to budget for an ERM process with front-end protection that mitigates costly back-end expense? Risking penalties, claims of spoliation and possible contempt citations during litigation as a result of not having or following compliance and records management standards is not a risk worth taking.

Records management and automated ERM

Policies and systems are what protect an organization from e-discovery risks. Especially important is having a reliable records management system in place. There are several options for how they may be applied. Manual application can be risky because it is inconsistent. We no longer live in a world where carbon copies and a few filing cabinets are all an organization needs. Automating records management processes is the key to simplifying records management, guarding against litigation and minimizing hassle surrounding otherwise expensive and time consuming e-discovery. Ultimately this means less risk.

For one thing, there is an inherent element of human error. There is simply too much data to be managed and too many communication avenues to expect that mistakes will not be made. An even greater risk is misuse. Technology makes it easier than ever to exchange data faster and between more parties. This means advertent and inadvertent exposure to leaks of confidential information. The KPMG 2010 Data Loss Barometer Report cites that one in five data leaks in early 2010 came from malicious attacks inside the organization.

A final concern is lack of awareness. Insurance professionals would be appalled to know how many people are unaware of the document management policies in place. Without the proper implementation of records management policies, any organization faces greater risk of violation. The Assn. for Information and Image Management addresses this issue in a document, “Principles of Real World Records Management”:

In the past companies have put the onus and the burden (not to mention risk) of making key decisions about records management on employees—a major deterrent to RIM policy enforcement. The majority of employees are ill equipped to make these decisions, because they are unaware of records management policies and/or the impact of their actions (or inaction).

Related: Read “Clearing Confusion on Cloud Computing”

Many organizations will instead use software to automate records management processes. Fewer organizations, although the number is increasing, will embrace the change wholeheartedly and turn to the cloud. If choosing a cloud-based SaaS (software-as-a-service) application, consider how well it addresses the following three considerations:

1. An automated records management application should provide complete compliance and records management with features designed to meet standards for regulatory compliance.
2. The application must be easy to deploy and simple to integrate with existing document management processes.
3. The application should be intuitive and easy to use, as well as transparent to the user if possible.

Records management is a back-office function that need not consume countless work hours, space and mental capacity. The goal of automated systems is to achieve a level of confidence in the systems that are in place, minimize the risk of violation from mismanagement, and free up staff to handle more critical issues at hand.

Requirements for regulatory compliance

Five requirements for regulatory compliance must be met in order to avoid unnecessary e-discovery risks.

1. Centrally controlled document access management is one of the most essential elements of compliance; it is the ability to centrally control which users have access to the shared documents.
2. Document classification policy management allows you to control the classification of records for better logical grouping and security. The ability to locate data efficiently is half the battle of e-discovery.
3. Retention policy management is the application of specified retention schedules to records of any type from a central application. This helps you keep the records for the required amount of time, and delete them when the retention policy requires it.
4. Destruction and disposition policy management is important because you should be able to track all stages of destruction to show a history of approvals (if required) and adherence to policies. This ensures you meet compliance regulations requiring the destruction or archiving of records after a certain period of time.
5. Legal hold management is a function that prevents destruction of documents if they are under litigation hold. Legal holds ensure that an organization will not fall out of compliance with court orders and risk fines, claims of spoliation or contempt citations.

All five requirements support the principles outlined in the Generally Accepted Recordkeeping Principles, created by the Assn. of Records Managers and Administrators. These principles are standard for IT and records management departments across all industries. They certainly apply to agencies and brokerages responsible for managing extremely sensitive information, while adhering to strict government mandates.

Backlash from WikiLeaks and growing information management issues, including incidents of fraud, are inspiring new regulations and mandates that pertain to the insurance industry, among others. Agencies and individual brokers are particularly vulnerable to risks associated with E&O exposure. Currently, “negligent actions” can be described as an agency's lack of adequate control over client documents and files. Failing to secure sensitive client records can be the fast track to costly arbitration.

With identity theft and mismanagement of classified information on the rise, the Federal Trade Commission “red flags” ruling sets measures to help organizations identify early signs of potentially damaging activity. The rule is just one example of a new ERM approach mandated by the government to help organizations protect their customers and avoid compromising reactive situations.

SaaS and ERM: Need to know

The transformative growth of SaaS applications also affects ERM. SaaS is the only technology gaining considerable traction in the current market. It offers businesses cost savings and real-time support to help them be productive in a host of scenarios. For these and other reasons, vendors like Microsoft, SAP and Oracle are moving to the cloud to capitalize on the growth. A forecast analysis released in July 2010 by Gartner reported worldwide growth of SaaS will have a 15.3 percent compound growth rate for the enterprise application markets through 2014.

One of the most popular SaaS applications to date is Google Apps. More than 30 million users in three million businesses, government agencies, schools and other organizations worldwide have switched to Google Apps. Among those considering the switch are agencies and individual brokers seeking cost savings and the increased flexibility to access documents from any location.

However, Google Apps does not have any built-in document compliance or records management features to meet organizational standards and legal regulations. Simply put, this means that Google Apps users can use some but not all of the available features without risking serious issues with compliance violation. Millions of users might already be in compliance violation if they are using Google Docs without another records management system in place. This is a considerable concern for businesses looking to mitigate risk.

Fortunately, vendors recognize the hole and are developing SaaS compliance applications for Google Apps. RecMan for Google Apps is the only application currently available, but we can expect applications from other vendors in the future as Google Apps continues to grow.

Before adopting a cloud-based platform, IT departments and compliance officers should be involved in cross-departmental conversations. These are the very people who have the expertise to protect your organization from potential litigation and e-discovery issues. With carefully planned compliance measures that account for the integration of new technology, ERM processes remain intact. In fact, SaaS makes it easier and more affordable than ever for businesses to stay on the cutting edge with software that might otherwise be too costly or too disruptive to integrate with existing systems.

Planning

A great debate over the move to the cloud brings forth questions of enterprise security and proper records management. The fundamentals of records management don't change. However new technology presents enterprise risks, which must be considered. In short, an overabundance of information makes it exceedingly difficult to keep track of sensitive records that have the potential to expose companies to areas of weakness, should a suit be filed.

Using hosted business solutions in the cloud only has to be a scary prospect for organizations that have not first anticipated how their ERM process will translate. Planning is essential to avoid e-discovery issues; otherwise, plan to spend a lot of money. The good news is that SaaS applications are making it more affordable than ever to integrate targeted solutions into the IT platform, increasing productivity, efficiency, and expanding your options for doing business in a virtual world. In addition, many organizations consider cloud-based applications to keep their work force on the cutting edge.

Related: Read “ERM Stands Test of Time”

Although there are sure to be some sticky issues with any ERM plan involving enterprise-wide records management, the most difficult step is making sure that the company IT department and records management individuals or department are on the same page. Departments should work together to establish a plan for the application of retention policies. In the long run, this should also save on legal expenditures.

Organizations considering the move to a cloud-based platform should consider several factors:

1. What processes are already in place and how might they be adapted for monitoring digital info and materials shared via the web?
2. What procedures are missing to mitigate e-discovery risk if litigation occurs?
3. The company should establish a unique plan for the internal controls over your organization's processes.
4. The best ERM program an organization can have is a clear definition of purpose and the processes and tools in place to make sure these are met without fail every time.

By applying your agency's retention policies consistently and systematically, the cost of e-discovery is reduced. Think of it this way; records, which are merely evidence of an organization's activities, are a trail of breadcrumbs that lead back to any infraction. The fewer stale breadcrumbs that are forgotten, the better the chance of avoiding costly legal repercussions.