Data Management for eDiscovery and Regulatory Compliance: Everything You Need to Know  

Compliance has never been a simple practice. Whether regulatory or internal, there are policies and conduct, practices, and audits to keep straight. To comply with any standards, you have to start with the data and how it is managed. The great uniter: Data management.  

Without proper data management, no strategy or technology can solve any compliance challenges. Which is why we recently hosted a webinar with financial services experts to discuss challenges and solutions within the field in the context of regulatory compliance and litigation. 

Moderated by Ari Kaplan, legal industry expert, the panel highlighted Shield and KLDiscovery’s valuable partnership that helps eDiscovery and Surveillance teams meet their data management requirements. Courtney Kern, the Director of Compliance Information Governance and Archiving Solutions at KLDiscovery along with David Aronson, a senior product marketing manager at Shield, spoke with Anthony Diana, partner and co-chair of the IP Tech and Data Practice Group at Reed Smith. 

Read on for the insights everything you need to know to set up a solid framework for your data management challenges.  

4 Key Takeaways 

1. Digital communications (dComms) refers to just about anything and everything communicated on a digital platform.
2. While regulatory record-keeping requirements may differ, the difficulty lies in collecting and archiving digital communications.
3. Data volumes, analytics, and the use of personal devices with an ever-expanding collection of apps being utilized—despite official policies—means that compliance teams can’t just turn a blind-eye any longer.
4. Managing the almost incomprehensible amount of dComms starts with striking a balance between automation and human talent.

Defining digital communications  

Kaplan began the discussion by sharing analysis data generated based on interviews that he conducted with leaders making eDiscovery decisions within the legal field. “There are lots of challenges here, but when I talk about communication data types, it’s just overwhelming. The feeling is just one, big sense of overwhelm,” Kaplan said.  

It’s easy to see why it’s overwhelming, we can’t even agree on what the definition is. In the last 10 years, the definition of dComms has evolved dramatically—it had to, given the proliferation of communication forms. That means that regulatory compliance officers need to be capturing at least some chunk of the 45 billion messages sent daily on WeChat plus a slice of the 100 billion messages sent daily on WhatsApp. These volumes alone are enough to make anyone’s head spin.

Diana made it clear these chat apps, despite company policies, have been in use for a while, just not at the forefront. He went on to explain the volume and sheer number of channels make it impossible to have a comprehensive monitoring solution.

“I think the other thing to keep in mind is how the decentralization of electronic communications has been wildly dramatic, particularly in the past two or three years. One of the things that I see as a challenge for every outside council, and in-house council, too, is you can never say, ‘I am preserving all communications.’”

Kern made a critical point, “It is very important now more than ever for everyone to be cognizant of the fact that if you put it into an app, if you put it on the internet, it’s not going away. It is discoverable. And therefore, it is subject to surveillance.”

Risk management and litigation implications

For nearly 2 decades, digital communications were email. Period. It reigned supreme as the primary mode of business communication. However, this landscape has experienced a seismic shift, bringing with it complexities that were previously unforeseen.

Everything has changed in the past couple of years with the proliferation of mobile technology. Litigators and compliance professionals must build solutions that can adapt to the multiplicity of communication channels as they come online. The challenge lies in determining what to preserve and collect, which can be somewhat subjective.

Aronson lamented, “Now you must consider emojis, personal communications like WhatsApp, SMS, complex data sources, massive volumes of data, and of course it’s just growing. It is simply not possible to preserve everything because there are just too many ways to communicate. We are going to have to come back to relevance.”

The intersection between compliance and communications

Legal discovery has evolved to become an integrated discipline whereas it was historically its own silo, as Kaplan explained. As technology advances, so does the breadth of data sources, making it increasingly challenging for organizations to maintain regulatory compliance.

“The intersection is so big and so complex, everyone has a seat or should have a seat at the table in terms of understanding how we’re going to build the dComms strategy for all of us on a united front, but we may not be able to be fully united.”

In the digital age, understanding the essence of digital communications is fundamental for individuals and organizations alike. It spills over into data volume, complexity, use cases, analytics, reporting, search, archive, and surveillance. The importance of this broad definition cannot be overstated. It lays the foundation for comprehending the implications of good data management.

It can be a daunting task for legal professionals to understand the evolving modes of digital communication and their implications for legal proceedings. Kern explained the heart of the problem, “Many policies prohibit the use of WhatsApp, however, it’s the app that everyone wants to use. When employees are using their personal devices and not abiding by the policies, you as a company are still accountable.”

Balancing automation with human talent

One of the critical questions in managing digital communications is how to strike the right balance between automation and human judgment. Collectively, we have surrendered to the convenience and comfort of mobile technology, we never leave home without them. Restricting tech on company issued devices seems like a logical strategy, however, companies are increasingly favoring “BYOD” which is Bring-Your-Own-Device. But how do you monitor it?

Regulatory bodies such as the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) are increasingly focusing on digital communication, highlighting the importance of staying ahead of risks and taking a proactive approach. In the last year or so, we have seen unprecedented fines of $200 million levied on multiple financial institutions who failed to corral their employees’ usage of WhatsApp and/or fail to properly monitor it – let alone archive it.

“A policy is helpful, but there needs to be a strategy communicated to the employees. But IT professionals don’t want to disrupt the business,” Diana adds. “So, the business is dictating which apps their employees should use because their clients are using them. It’s hard, but there has to be some type of structure and approval strategy which includes a process for identifying which communications apps should be in use and a process for approving those apps.”

Cost is another factor (when is it not?). He continued, “Every time that you approve an app, you make a determination that has to be captured. There’s a cost associated with that. Someone has to monitor it.”

Not only does this increase the expenditure, but it also increases the complexity and takes people away from their “day jobs” because you’ve added one more thing for them to do. And that’s an audit. Companies need processes to review and test their existing processes.

“I think you have to have consequences if people are violating the policy,” Diana suggested, “All of that must be factored in, but it’s not easy. And we’ve seen this in some of the fines; oftentimes senior management who are the violators. You can’t have a policy where senior management is the exception, right? It’s top down. And that’s one of the things that the SEC and FINRA have always said is they want to see a culture of compliance.”

Automation, while efficient, cannot always replicate the nuanced decisions made by humans, particularly in legal and compliance contexts. Human talent is typically the judgment that’s involved. Aronson explained, “It’s the kind of thing that if I were to hand this to someone else, I may not get the same result that would happen if I did it myself. And those are always going to be the hardest tasks as an organization built to pass off to anything that’s automated because how can you trust you’ll get consistent results?”

Based on the survey data cited above, obtained through dozens of client interviews, the issue appears to be that organizations are simply overwhelmed. They lack the resources to implement closed-loop systems. There is also some level of internal skepticism about the full potential of AI to generate conclusions or results consistently. Aronson highlighted the example of an automated search constructed by a senior analyst but made available to junior analysts to expedite sorting through the backlog.

“Sure, the work will move along faster, but what if it takes weeks or months to identify an inconsistency, then what? Exacerbating the problem is the global economy with unevenness in the regulations and implications,” Aaronson explained. “For example, consider communications in the context of GDPR in Europe and Canada versus in the USA.”

The Bottom Line

Simply stated (or perhaps not so simply): the implications are huge, the definition of digital communications is broad, and the task of monitoring and archiving all forms of it are just about impossible. Nevertheless, it is essential that companies do all that they can to mitigate their risk. eDiscovery and regulatory compliance are not going to get easier, even with the advancement of AI. New data forms and new dComms channels will continue to shift the landscape. So, it’s up to compliance officers to do all that they can to build flexibility into their surveillance systems and remain current with state-of-the-industry findings to mitigate the risks regulators require.