My colleague Marianna has done a terrific job keeping our customers and prospects informed of the latest trends surrounding regulatory fines and sanctions, such as her most recent post located here.  Building on that analysis, I’d like to drill into a specific aspect that is sometimes under-appreciated, namely the impact that regulation has upon eDiscovery and litigation.

This aspect of regulation is particularly timely, given the recent passage of the CLOUD Act, and the soon-to-be-implemented EU General Data Protection Regulation. Both have raised the sensitivity surrounding data privacy, similar to what high profile data breaches did to infosec a few years back. And with the increased sensitivity and scrutiny, litigation is sure to follow (as has already been witnessed by Facebook).

This sensitivity and concern over litigation that results from regulatory mishaps is not new.  In fact, several eDiscovery watchers have tracked the direction of regulatory-driven litigation for multiple years, led by the Norton Rose Fulbright’ Annual Survey of Litigation Trends. In its most recent report from 2017, the survey provided several interesting insights into how regulation is impacting litigation patterns. Key amongst those findings include:

• First, pertaining directly to the impact of the CLOUD Act, Norton indicated that the percentage of firms that have experienced the need to balance the demands of US litigation against conflicting local country privacy law increased in 2017 to 58 percent. The remainder of 2018 will provide immediate feedback on if/how the CLOUD Act can eliminate this no-win situation
• Even though regulatory- and investigative-driven litigation is far from the most commonly encountered class of litigation, it was ranked as the most concerning category of litigation by 26 percent of respondents – the highest for any category
• In spite of the signaling by the current Administration toward de-regulation, survey respondents continue to point at several factors that lead to their concern over regulatory-driven litigation. These include:
  • 24% are most concerned because of its high likelihood
  • 23% are most concerned because of the high data volumes associated with regulatory action
  • 11% are most concerned because of the breadth and magnitude of business risk created
  • 10% are most concerned because of the disruption to their business, while another 10% are most concerned about the associated eDiscovery and litigation expense, and yet another 10% most concerned about financial exposure

Suffice it to say, that even today, there is no shortage of reasons why firms should be concerned. So, how can firms reduce some of these concern over litigation arising from regulatory or investigative action? I’d suggest a series of small steps:

• Don’t stay in your swim lane: In many large firms today, legal and compliance functions continue to operate autonomously with their own unique definitions of information risk, their own strategies and priorities to identify and mitigate those risks, and different control processes that govern regulatory compliance and eDiscovery tasks. The risks of data breach have begun to change this paradigm, but driving further collaboration across legal and compliance is an information governance best practice
• Broaden your supervisory lens: Clearly, risky behavior is not the exclusive domain of registered representatives. Firms should identify additional user groups that may have access (approved/legitimate or otherwise) to sensitive or high-value information that requires closer supervisory oversight. Consider adding these groups as a new layer to existing review activities
• Ensure that you have all content sources under control: Regulatory action can be broad, across multiple content sources, individuals, and timeframes. Deploying technologies that can enable fast, reliable access across all content sources can reduce some of the disruptive and expense burdens
• Apply policies uniformly across channels: Examine existing employee communications policies to ensure that they apply to any and all content sources that individuals use on a daily basis. Ensuring the policies are up-to-date and inclusive should be complemented with employee training and automated enforcement to further reduce the downstream burden on compliance and legal staff
• Examine machine learning and AI technologies to dive deeper into your data: The days of finding a needle in the haystack are over. Technology can help in coping with a world of multiple haystacks and needles that can travel freely amongst them. Auto-classification and content surveillance tools are experiencing tremendous acceptance to address today’s new realities

Ultimately, the supply of activities in a regulated firm that lead to litigation including securities fraud, money laundering, and corrupt foreign practices is historically proven to be highly inelastic. Taking proactive steps now to extend controls to new sources of information risk today will pay dividends in reducing the expense, disruption, and unpredictable pains of these events later.

Originally published on Actiance.com 4/25/2018