“We used to talk about information as the new oil, the new gold. Here’s an asset that we can mine and get value from now,” says Duncan Fraser, partner at Noticia LLP and veteran e-discovery lawyer.
“It’s more like a weed.”
Fraser has spent two decades at the centre of electronic evidence, first with the federal Department of Justice and now advising organizations facing complex litigation. He offers a pointed warning to technology leaders, saying the surge in corporate data is less an asset than a liability.
Terabytes of chats, emails, and files are generated daily. The issue isn’t storage, it’s whether companies can find, protect, and hand over the right information when courts, regulators, or the public demand it.
The standard is reasonableness, not perfection
Fraser stressed that no system will ever capture everything.
What courts look for is evidence of planning — “reasonable, good-faith efforts,” not flawless disclosure. That starts with knowing what you have and where it lives.
“Once you’ve got an inventory of the types of information… you’re much better positioned to come up with a plan to identify the actual content and collect it,” Fraser explained during CIO Association of Canada’s Peer Forum.
The Public Order Emergency Commission into the 2022 Ottawa convoy protest showed how unprepared organizations can be. Investigators had to track down WhatsApp and Messenger messages between city leaders, including exchanges between the mayor and the chief of police.
Extracting that data meant physically seizing devices, a slow and invasive process that can cost thousands per phone. For CIOs, this shows the risk: without a plan for mobile messaging data, you only deal with it when the stakes are highest.
The same challenge appears in day-to-day duplication. Fraser described a recent case in Alberta where a private law firm handed over 20 terabytes of information.
After analysis, only 1.2 terabytes were unique. Every backup, migration, and saved copy had been kept, creating ballooning costs and wasted effort. Deduplication cut the review workload tenfold and saved significant money.
For CIOs, it’s a reminder that old files and redundant systems can create new liabilities.
Using AI without adding new risks
Generative AI has raised expectations that machines can take over time-consuming legal work.
Fraser urges caution. He pointed to recent U.S. cases where lawyers were sanctioned after submitting AI-generated briefs that cited court decisions which didn’t exist, a reminder of the risks in relying on tools that can’t guarantee accuracy.
“Don’t expect AI to actually solve your problems right now,” he said. “Expect and have AI inform how you are addressing the problems you have.”
The value lies in tasks humans struggle with, like connecting fragments of personal data across files or spotting inconsistencies across large collections.
But costs add up quickly. Industry rates can reach 60 cents per document, per query. CIOs considering AI need to weigh its benefits against real-world constraints, and see it as a supplement, not a shortcut.
Regulatory risk is rising, too.
Canada tried to update its federal privacy laws via Bill C-27 in 2022. When Parliament was prorogued in January 2025 that bill died.
Legal experts warn the federal gap leaves organizations relying on older laws like PIPEDA while provinces act. Québec’s Law 25 has enforced new rules, and Ontario’s recent amendments to FIPPA will bring in stronger obligations in mid-2025.
For CIOs that means readiness isn’t optional. Records governance, metadata, and data-mapping matter now, not later.
Turning metadata into a practical tool
Metadata (dates, file types, attachments) can be unreliable, but it is still the foundation for organizing and reviewing information. Fraser’s advice was to stop treating metadata purely as a legal checkbox and make it a tool for employees.
“Make it visible,” he said. “Make it so that they can find what they want. Make their jobs better by giving them better access to the content they need.”
When employees see metadata as useful, they maintain it naturally. That reduces downstream costs when disclosure or litigation events arrive, and avoids the expensive cleanup that comes from messy or incomplete records.
Final shots
“You will fail to do this perfectly,” Fraser said.
“There is no possible perfect information, identification and gathering exercise, but your plan can be pretty close to perfect.”
For CIOs navigating an era of terabyte-scale data and rising privacy rules, Fraser’s foundation of staying defensible when the next data request lands comes down to three moves:
- Map your data: build a basic inventory of where information is created and stored.
- Categorize it: flag sensitive, duplicative, or low-value content so you know what matters.
- Write a plan: document how you’ll respond to requests. Imperfect beats unprepared.
Digital Journal is the national media partner for the CIO Association of Canada.
