Log In


IGI and TGCI’s “The Exchange” Presents The Information Governance Forum 2017

November 1st, 2017-The Buckhead Club
Atlanta, GA

Colloquium Lead Moderators:
Barclay T. Blair
Information Governance Initiative

Jason R. Baron
Drinker Biddle & Reath LLP

“The Exchange” Information Governance Forum – Atlanta, is the first program developed and delivered through the new TGCI partnership with IGI. Building off TGCI’s successful roundtable format, this inaugural Forum will focus on facilitated conversations designed to rapidly increase your IG insight and fluency. Beginning with a discussion of IG as a concept discipline and market based on the IGI’s Annual Report research series, this day of peer discussion will move through a broad range of topics, each with a practical implication for IG programs at all levels of maturity.

Some pressing topics that "The Exchange" will cover are:

  • Who Is Doing IG, and What Are They Doing?
  • Identifying and Coordinating IG Stakeholders
  • GDPR and IG: What You Can Do Today
  • IG and Cybersecurity: The Role of the General Counsel and the IG Team
  • Governing Information Over the Long Term – How Do We Manage Digital Information That We Must Keep Forever?
  • Case Studies in IG

Click here to register for "The Exchange" Information Governance Forum Atlanta


An Open Letter to Equifax

Charles Hoff has been a speaker at our events, and provides a very insightful perspective from someone who has grappled with the complexity of these issues for many years at the highest levels of corporate America. You can meet Charles at our upcoming event, "The Exchange" Information Governance Forum in Atlanta, Georgia on November 1st, 2017.

An Open Letter to Equifax
Charles Hoff

Charles Hoff is a former SVP of Legal Affairs for Equifax, and works in the ID theft and fraud protection industry. 

I recently took a call from a reporter who was looking for a new angle to the massive Equifax breach. The fact that years ago I worked as Equifax's Senior Vice President & International Counsel and am now in the cybersecurity industry seemed to hold some allure.

Having dispensed with a long list of anticipated questions, there was a follow-up by the reporter: “Can Equifax survive this breach?”

The answer is yes, partially because Equifax has the financial and human resources to bounce back.  However, it would be a much different answer if the question had pertained to a breached small business. Helping to form the cornerstone of the U.S. economy, small businesses make up 99.7% of U.S. employer firms. The 2016 State of Small and Medium Sized Business (SMB) Cybersecurity Report draws from prominent surveys to estimate that in the last 12 months alone, hackers breached half of these businesses.

What receives scant attention is that on a daily basis America’s 28 million small businesses and their consumers are engaged in a losing battle with hackers targeting what fraudsters consider to be the most vulnerable of targets. The results are devastating given the vast number of companies that fail to survive breaches, as well as the inordinate price that consumers pay in terms of time and money to restore their credit ratings and counter ID theft and fraud. Former SEC Commissioner Luis Aguilar wrote in a 2015 public statement, “Cybersecurity is clearly a concern that the entire business community shares, but it represents an especially pernicious threat to smaller businesses. The reason is simple: Small and midsize businesses are not just targets of cybercrime; they are its principal target.”

The dirty little secret among cybersecurity experts is that the overriding number of SMB data breaches can be easily avoided by implementing simple security measures and training.

These breaches have fostered a cottage industry in credit monitoring, notification and repair services as companies such as Equifax have appropriately profited from the countless unfortunate breaches of SMBs, along with the resulting effect on consumers.

Ironically, Equifax, through its own breach, is now uniquely positioned to leverage the resulting public forum to help stem the tide of this daily cyber onslaught. In fact, the key to Equifax’s redemption and ability to restore the public confidence may inextricably be linked to their willingness to give a helping hand by attacking the root causes.

What if Equifax added to its mission the objective of confronting head-on the national crisis we face regarding cybersecurity, by implementing educational initiatives to make SMBs aware of the practical steps to avoid breaches? If executed effectively, the company would be responsible for stemming countless business failures, saving jobs and preventing the public from needless cost and stress.

By being a vocal advocate and creating meaningful awareness programs, Equifax can become an integral part of the solution.  Additionally, it can use its formidable influence to have industry leaders join the fight that has been so confounding to US government agencies seeking greater support from the private sector in the war on cybercrime.

Equifax can rebound strongly and regain public trust while showing how lessons learned from losing a cyber battle can ultimately help the larger American business community win the cyberwar..

You can learn more about Charles and his work with PCI University here


The Freedom of Information Act and Capstone

Authored by Jason R. Baron, IGI co-chair and Of Counsel at Drinker Biddle & Reath

The following is an excerpt of a letter submitted to the National Archives and Records Administration by the IGI in response to a public hearing of the FOIA Advisory Committee to be held at the National Archives McGowan Theatre on October 19th, 2017. Both inside and outside government, the need to take control of email while providing access to critical information (whether for business of FOIA purposes) is only growing more challenging.


There is a deep connection between improving electronic recordkeeping practices throughout government and improving public access to government records through the mechanism of the Freedom of Information Act (FOIA). Executing on the vision of providing cutting-edge access to government records will mean NARA (and its partners) devoting greater attention to implementing advanced search techniques that allow for the extracting and production of records that are responsive to various types of access requests (including those requests arising in electronic discovery, subpoenas, congressional requests, and FOIA requests). As a corollary, there should be filtering techniques aimed at identifying sensitive content in archival collections including, but not limited to, personally identifiable information (PII).

The need to make reasonable decisions on withholding PII and other sensitive information contained in government records constitutes one of the major bottlenecks to NARA providing more immediate public access to a variety of records, including for example, its vast White House email holdings. Moreover, this problem will only expand across the Executive branch in the years ahead as agency email archives increase in volume.

In response to the December 31, 2016 deadline set out in the Archivist’s 2012 Managing Government Records Directive (M-12-18), over one hundred reporting components to NARA have indicated that they have put a “Capstone” or Capstone-like policy in place, or are planning to do so in FY2017 – surely making this one of the largest email archiving experiments in history. “Capstone” involves permanent retention of designated senior officials’ emails within an agency, and retention of program-related emails of staff outside this designation for at least seven years under General Records Schedule 6.1 or an agency-approved schedule (see, “General Records Schedule 6.1: Email Managed under a Capstone Approach”, available online at https://www.archives.gov/files/records-mgmt/grs/grs06-1.pdf).

By virtue of Capstone’s widespread adoption, email records (with attachments) are going to begin accumulating in astounding volume – likely number into the tens or hundreds of millions in larger agencies in a short period of time. As stated above, under Capstone, all substantive email records of agency staff are preserved for at least seven years, while a much smaller segment of email records from senior officials are preserved forever.

Second, to deal with the new reality of Capstone archives, the FOIA component of agencies should be aware of how legal counsel are meeting their electronic discovery obligations. Ideally, FOIA staff, working with both legal and IT staff, will be able to leverage for FOIA purposes any special software an agency has acquired to perform advanced searches in connection with electronic discovery.

Third, as alluded to above, advanced searches of Capstone archives would ideally include filtering techniques designed to identify and automatically redact “FOIA exempt” information in responsive records. The state-of-the-art in filtering techniques enables practitioners to, for example, easily isolate social security numbers and other PII.

In my experience, few FOIA officers are aware of the full implications of their agency’s adoption of Capstone policies. This is understandable, given that most agencies only recently accelerated their efforts to meet the Managing Government Records Directive’s end of calendar year 2016 deadline. In my view, providing advice on how Capstone policies potentially implicate (and improve) FOIA searching of email, as well as how advanced search techniques can be implemented within FOIA workflows, is all well within the FOIA Advisory Committee’s mandate to provide thought leadership to agencies.


KM World Covers the Latest Best Practices in IG

The IGI is pleased to share the latest by KM World: a useful best practices whitepaper digging into the details of IG, sponsored in part by IGI Supporter Actiance, that includes the following perspective on the efforts of the Information Governance Initiative.

"The Information Governance Initiative, is widely credited with moving the discipline forward. It has legitimized information governance as a free-standing business exercise, distinct from enterprise content management (ECM). It is not seen as synonymous with information security but the two are most definitely related- or perhaps joined at the hip is a better way to phrase it."

This whitepaper covers the latest best practices in IG including thought-provoking points such as:

- Information Value and Risk are Everywhere
- Your Policies Need to Reflect Today’s Communications
- Employees Need to be Directly Engaged in Design of IG Training
- Your Governance Tools Must be Designed for Today’s Communications
- The Likelihood of Governance Success is Directly Proportionate to Cross-Functional Involvement



IGI Charter Supporter DBR Launches New Blog on Privacy and Security

IGI Founding Supporter Drinker Biddle recently launched DBR on Data, a blog that offers insights and outlooks from privacy, security and information governance professionals across the firm.

With GDPR looming, and cybersecurity breaches only seeming to grow in magnitude and impact each day, the need for IG professionals to understand these issues and address them as part of a comprehensive IG program has never been greater. We applaud DBR for bringing the resource to the community and we encourage IGI members to check it out.

Recent posts include:

Visit the blog and subscribe.


Leveling Up Your IG Program: Opportunities Beyond Best Practices

by Doug Meier - Pandora Media Inc. on September 12, 2017

Information GovernanceIn-House CounselLegal & Industry Education

Whether in “startup” mode or in “recurring initiative” mode, we expect a lot from an information governance (IG) program and its leaders.

For example, the program should follow agreed-upon best practices, like adhering to a maturity model and aligning with the concept of Privacy by Design, and should establish processes like records management and legal hold notification. Likewise, the program leaders are expected to communicate policies and procedures, identify and remove unstructured data debris—including redundant, obsolete, and trivial information (ROT)—and maintain ongoing IG efforts.

These are all admirable goals and objectives, but it’s not enough. For an information governance program to survive, it requires alignment with and embracement of objectives that go beyond best practices and standard guidance. Here are a few ways to level up your IG program.

To read the article in full, head over to Relativity's blog by clicking here.