How to Make E-Discovery Compliance Part of Your Business as Usual

Pharmaceuticals is perhaps one of the industries where compliance with regulatory and industry standards, such as the privacy and security of personal information, matters most – in clinical trials, outsourcing, cross-border data transfers, anonymization and other areas.

In the world of Big Data, the exponential increase in electronically stored information volumes and data types (such as email, social media, cloud-based applications and voice), the challenges around managing it to meet business objectives, regulatory compliance requirements and heightened government intervention and litigation, have stymied many organizations in their efforts to track and control rising volumes of important—and often sensitive—data as part of their business processes.

As compliance and electronic discovery – the identification, acquisition, review and production of potentially relevant data in an investigation or litigation – quickly converge, pharmaceutical companies must understand how to manage it to minimize exposure to both extensive costs and risks (while maximizing the value of its data for business purposes). The best way to do so is by incorporating e-discovery as a repeatable business process into the larger corporate compliance program.

Practical Steps to Integrate E-Discovery into Business Processes

Pharmaceutical companies can protect themselves by acting proactively in advance of any litigation or investigation. Weaving e-discovery into business processes promotes adherence to important e-discovery procedures and can align such processes with overall corporate compliance mandates, which can reduce organizations’ costs and risk exposure in both the short and long term.

Tip 1: Build a Team

Companies should begin to incorporate e-discovery into their business practices by building a team responsible for managing this process. First, ingraining e-discovery within an organization’s culture requires executive buy-in; therefore, the team should include senior-level management. Representatives from the legal and IT departments are essential, as are members from other branches involved in compliance. Outside specialists, including consultants and legal vendors, also play an important role, as they can offer specific expertise.

It is hard to overstate the benefits of the transparency that an interdepartmental team can offer. For example, prior to coming together, legal may not have understood IT’s approach to a problem in managing data for compliance purposes, or IT may not have understood the implications behind the legal department’s directives. However, by collaborating, representatives from all points on the corporate spectrum can create and implement balanced and comprehensive policies.

Keep in mind that bringing together a diverse group can present difficulties, so communication is vital to the team’s success. Team members should commit themselves to educating one another about respective expectations and capabilities. Communication should flow from the executive leadership level: senior management should embrace information governance as a foundation of operational excellence.

Tip 2: Create a Culture of Information Governance

When it comes to Big Data, it can be easy to miss the forest for the trees—after all, there are so many trees. But instead of grappling to simply manage their data on a day-to-day basis, organizations can act more effectively by conceiving of information governance and establishing a comprehensive structure that supports all of an organization’s data, along with processes and roles that outline how the organization will handle information. Within a structure that accommodates all of a company’s information, data thrives as an asset rather than a liability. In an organized system, useful data is predictably retrievable and easily leveraged across multiple platforms. Under a “keep everything” policy, on the other hand, data is in dangerous disarray, making it a liability in the event of a legal emergency when an organization may be called upon to search through and retrieve troves of data, much of which could have been defensibly discarded as part of a corporate retention policy. 

Companies that engage in information governance can also better guard data privacy. Companies should seek to protect sensitive data by establishing “privacy by design”—that is, incorporating practices into their information framework that reflect a commitment to information security, including “data security, reasonable collection limits, sound retention practices, and data accuracy.”[1]

Two of the most critical steps in information governance are inventorying records and developing a robust document retention policy that sets forth a retention schedule for various record types. Determine how your company needs to retain each type of document based on legal, fiscal, or administrative needs, and assign a disposition date to each category. Ensure your policy includes all information, in both paper and electronic form—particularly e-mail.

strong>Tip 3: Develop a Litigation Readiness Plan

Developing a litigation readiness plan should be one of the team’s top priorities. At the heart of the plan should be the organization’s goal to reasonably, in good faith, and proportionally meet legal duties. As limiting risk and cost are foremost in the minds of organizations involved in litigation, the team should establish groundwork that, at the outset of litigation, will enable the company to target only relevant data and avoid overly broad data collection.

A critical first step in executing this task is knowing—and mapping—the organization’s data, including understanding the various types of data the organization generates, who creates and modifies it, and where it is stored. The team should also assess whether the data is readily accessible and if not, what steps might be required to access it and the associated costs. The team’s proactive investment of time at this juncture can prove invaluable during the time crunch of litigation or an investigation.

In addition, the team will need to determine what will trigger the issuance of a litigation hold notice. The team should also draft policies and procedures for implementing the hold, and it should decide who will be responsible for issuing the notice and set a schedule for reminding recipients of their continuing obligation to preserve data.

Finally, the team should consider whether it will need the assistance of third parties in the event of litigation. Before a lawsuit is filed or before an investigation arises is the best time to thoroughly vet potential partners and determine whether the scope of their services matches your company’s needs.

Tip 4: Educate Employees

Informing company employees about policies and procedures – particularly around responsible uses of data within and outside of the organization, both which may be discoverable in the event of a regulatory or third-party inquiry – is also an essential component of integrating e-discovery into business practices. First, organizations should devise a way to notify employees of policies; ensuring employees have access to and understand policies may require combining education about them into other training opportunities.

In addition, by communicating with employees, companies can leverage their own staff in minimizing e-discovery pitfalls and meeting legal obligations. For example, organizations must notify custodians likely to have relevant data once it implements a legal hold; by communicating effectively with those key players, a company can prevent the inadvertent destruction of data.

Tip 5: Invest in Technology

Crucial to an organization’s legally defensible and cost-effective e-discovery process is its use of technology to minimize the burden of Big Data. The time required to engage in manual review of today’s voluminous data stores makes it an unlikely option when facing time-sensitive litigation; moreover, human review may result in inconsistent interpretations and, thus, inconsistent results or the inadvertent production of confidential or privileged information.

Advanced e-discovery tools can automate and accelerate the e-discovery process, resulting in a significant return on investment. For example, using keyword search and advanced analytical tools to mine for responsive data and employing technology-assisted review to prioritize documents can expedite review—saving time and reducing costs. Moreover, these tools can enhance the accuracy of a review, creating greater defensibility for a company’s e-discovery process.

Organizations should also consider investing in technology that can protect personally identifiable information for both compliance-related purposes and in document production. Automated redaction technology, for example, when used in conjunction with tools that automatically detect patterns in text (such as social security or account numbers), can automatically redact and can shield personally identifiable information otherwise subject to production in a lawsuit.

Tip 6: Document Everything

Above all, creating a robust audit trail is imperative. In the event that your company must defend and explain its processes and decisions to a court or to a government agency as part of a regulatory investigation, its documented policies, along with information on its enactment and steps undertaken to facilitate its execution, will serve as key support of your company’s good faith, routine operation of its data management and destruction policies as well as your steps to comply with discovery duties.

By following these strategies, pharmaceutical companies can integrate e-discovery processes into their existing business practices so that when the specter of an investigation or litigation looms, they have the means to access easily the data they need to comply with their legal obligations.