Evidence management solutions for mitigating e-records risks: bringing together IT, legal, RIM, and compliance officers through integrated information risk management (IIRM) is a smart move that can help a company mitigate regulatory and legal risks.

• Author: Peglar, Rob
• Position: LegalWatch

Reports about various organizations' struggles to comply with recordkeeping regulations are regularly in the news, reinforcing the need for organizations of all sizes and in all types of industries to be more vigilant than ever about their information management practices. Managing e-mail, which is perhaps the least understood and managed set of records in any organization--and is potentially the "smoking gun" used by plaintiffs in litigation against an organization--is particularly problematic for many organizations.

The optimal way to mitigate information technology (IT), legal, records and information management (RIM), and compliance risks associated with managing information is to take an integrated approach, which brings together a coalition of stakeholders in those areas to implement a comprehensive plan, as opposed to piecemeal "point" solutions. This approach is known as integrated information risk management (IIRM).

An organization must determine such things as:

* Does it have a sustainable records (including e-mail) retention policy?

* Can it efficiently and effectively execute a hold order on electronic information in the event of a lawsuit?

* Are its RIM, IT, legal, and compliance practices integrated into a comprehensive set of processes and implementations?

If not, they may be faced with above-average corporate risk and cost of litigation. According to the 2005 Fulbright & Jaworski Litigation Trends Survey of corporate counsel, U.S. corporations with $1.5 billion in annual gross revenue average more than $8 million in corporate litigation costs and more than 140 cases pending at any given time.

U.S. Regulatory Requirements

All organizations must be careful to ensure compliance with federal legislation regulating the dissemination of nonpublic information. Three primary U.S. laws--the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), and the Sarbanes-Oxley (SOX) Act of 2002--affect virtually every aspect of an organization's information-sharing practices. While these acts are similar in their intent, they differ in the types of records they target.

For example, HIPAA and GLBA are similar in that each mandates how particular healthcare and financial consumer records must be protected by organizations in order to ensure privacy. However, SOX is concerned with the integrity of financial reporting records. It mandates that senior executives must vouch for the financial data reported by their organizations.

But all three regulations require that certain material be protected from exposure to unauthorized parties, either to avoid a violation of privacy or to ensure that data has not been manipulated without authorization and authentication.

E-mail in an IIRM Approach

An organizational practice that spawns multiple areas of risk--legal, IT, RIM, and compliance--is the use of e-mail. And--industry analysts agree-e-mail use is expected to grow significantly in the near term. According to a March 2007 study, "Worldwide Email Usage 2007-2011 Forecast: Resurgence of Spam Takes Its Toll" from analyst firm IDC, "The size of business email volumes sent annually worldwide in 2007 will approach 5 exabytes, nearly doubling the amount over the past two years."...