What is the CCO’s role in eDiscovery and how does one enforce rules that are always evolving?
At first glance, the Chief Compliance Officer or CCO’s role in eDiscovery is plain and simple, just as it appears: to make sure that everyone at their organization is following the rules. Corporate compliance standards are mandated at the local, state, federal, and international levels, and they can vary widely, according to factors of the industry in which you operate or the agreements you have with clients and regulators. Rulebooks about data management—how to handle, organize, store, transfer, or delete it—are already complicated and getting more so every day. Wherever should a CCO start?
The CCO’s role in eDiscovery is to COMPLY.
In study upon Harvard study asking GCs, corporate executives, and compliance officers to call out the greatest threats to their businesses, one increasingly resounding answer is regulatory risk. Staying informed of ever-changing laws about privacy, ethics, data management and security constitutes a full-time job in many organizations all on its own. Add to that the responsibility of keeping all the departments in an organization in compliance with those ever-changing laws and regulations, and the CCO’s role in eDiscovery starts to resemble that of an air traffic controller.
Compliance with what? The CCO must enforce compliance with internal controls as well as external audits and investigations. Audits by regulatory bodies have become so common in fact, that entire cognitive analytics platforms traditionally made popular in eDiscovery processes like NexLP and Brainspace now target compliance incidents related to insider trading, money laundering, FINRA, bid rigging and more. If your duty as CCO involves identifying compliance issues at the source and resolving them before they can escalate, then eDiscovery is in your life already, whether you know it or not. And it’s here to stay.
Local, state, federal, and international compliance laws are especially stringent for regulated industries such as Energy, Banking (American Bankers Association even offers free Compliance Training), and Healthcare. In 2003, the Department of Health & Human Services Office of Inspector General published a list of elements for a successful Compliance program. While targeted at the Pharmaceutical industry, not surprisingly this valuable checklist is applicable to many industries and the eDiscovery practices subsumed therein:
- Written policies and procedures
- Designated Compliance Officer and Compliance Committee
- Effective training and education
- Effective lines of communication
- Internal monitoring and auditing
- Standards enforced through well-publicized disciplinary guidelines
- Prompt response and corrective action to detected problems
The CCO’s role in eDiscovery is to CLEAN UP DATA PROACTIVELY.
It’s 2021 and it’s raining data breaches. (We know because we help fix them.) Whether it’s a few receipts at Staples or the PII of millions of Equifax, Facebook, or TikTok users, every organization that handles electronic data incurs risk. When your company faces litigation, your most sensitive data is what gets handled, scrutinized, passed around to outside counsels, and put at risk of a leak. First and foremost, the CCO’s role in eDiscovery is to make sure your company’s data house is in order long before a litigation event ever occurs.
As CCO you should know the current state of your company’s data hygiene at any given time. Revisit that often and compare it with how stringent your data hygiene should be in light of your organization’s size, history, legal needs, etc. eDiscovery is heavily scrutinized because of what it is, so the CCO’s role in eDiscovery is that of the ultimate data babysitter—keeping an eye on the metadata and maintaining integrity of the data as it moves through the EDRM.
A huge part of good data hygiene is establishing proper, timely and appropriate data destruction protocols. COVID’s economic impact has forced companies to re-think their IT budget, and many have opted to allocate funds to start cleaning up their data—old and new. (Your data closet might be neat and tidy, but a merger or acquisition could mean that you inherit someone else’s data skeletons.) As CCO, you should be fully aware of the do’s and don’ts of data deletion so that you can guide and instruct the teams at your organization, for example:
- DO identify and preserve data tied to Litigation Holds (and, of course, regulatory retention requirements) first. eDiscovery service providers can help with this, so you can free up your legal teams and IT to deprecate or delete data that no longer serves a purpose and is not subject to any regulatory or legal hold requirements. Not only is that proper data hygiene, but it will save you substantial costs later when the need arises to preserve, collect, and review data for a legal event.
- DON’T assume you are staring down the keyboard at the only copy of your data. Are there copies of the data you’re trying to destroy living outside your organization, perhaps in abandoned databases inside law firms or vendors past? Often, knowing where all that data resides is half the battle.
The CCO’s role in eDiscovery is to COLLABORATE.
I encourage CCOs to follow Maurice Gilbert’s advice to think of your role (and help others perceive you) not as the sheriff but rather as a consultant or partner. This is an important distinction because your colleagues are less likely to be open and up-front with you if they see you as an enforcer, an adversary, or worse, the undercover agent lurking in the shadows, waiting and watching for someone to break a rule.
As with most leadership positions, the team approach here is a crucial ingredient for success. Facilitate conversations about compliance with stakeholders and connect with other C-Levels regularly. This could be as simple as a quarterly synch or as complicated as a system with automated alerts. Create your own Data Action Response Team (DART) and determine other team members who will provide support during normal times (e.g., planning) and also during incidents (for IR).
Worth noting here is the separate but related role of General Counsel or Chief Legal Officer. Historically, many organizations had a CCO who reported to the GC. However, in recent years corporations have opted to detach the CCO from the Legal department in an effort to foster independence on the part of the compliance gatekeeper. Simply put, nobody wants to point out that their boss is not following the rules. One answer? Remove the vertical hierarchy of that relationship. (Whether or not that helps or hinders corporations’ transparency and commitment to compliance is still up for debate.)
A key aspect of compliance is CONSISTENCY.
Whether you’re at a 5-person startup or a multinational corporation, all your data comes with rules about how to manage it, and those rules rely heavily on consistency. Make sure that as CCO you comply with internal and external regulations, keep your data clean, and collaborate with others across your organization, enabling them to do the same. Get your ducks (read: policies and documentation) in a row now. You don’t want to be writing policy as a regulatory event is unfolding (at BIA we liken that to changing a tire while driving down the highway).
As always, BIA’s eDiscovery experts are here to help. We can work with you to develop protocols, playbooks and best practice guides to get your eDiscovery steering committee headed down the right (compliant) path. We can help you make decisions about data hosting, litigation hold management, or handling data for M&As. If you need help responding to a data breach, we’ve got a cleanup crew full of experienced experts. The CCO’s role in eDiscovery is an ever-changing one; let us help you stay on your toes, so you can keep your organization on theirs.
Contributors: Maureen Murchie