Log In

Supporters

Guest Post: Privacy Lost – Can Information Privacy Survive the Era of Analytics?

Authored by Kon Leong, CEO and Founder of ZL Technologies

In a recent article published in Harvard Business Review, I discussed the growing capabilities of analytics technologies, and the need to be conscious of the privacy implications that accompany them. Though I believe the piece to be of general interest, it also offered focused advice for a management audience. Now, I would like to take a step back and expand the data privacy conversation, as well as provide some insight for the executive level.

Decoding Data Privacy

When I published the initial article, several of my colleagues responded that they believe data created at work necessarily cannot constitute personal information, and therefore belongs solely to the employer. Though I may have at one point agreed with this statement, my thinking has shifted in recent years. The influx of new data sources has given rise to more personal data being created—at work, at home, everywhere—while it simultaneously becomes harder to separate personal data from corporate data. In light of these changes, it could be time we rethink what privacy in the workplace really means.

In a corporate context, some might define privacy as meaning no organizational knowledge of sensitive, personal information. Due to regulatory and legal requirements to collect and preserve data, and the increasing rate at which such data is created, this is quickly becoming unrealistic. Do organizations then do their best to ignore this data, until it’s needed by Legal or Compliance? In today’s age, turning a blind eye to sensitive information and pretending it doesn’t exist is akin to the philosophy of “see no evil, hear no evil, speak no evil”: The problem is that just because sensitive information goes untouched, doesn’t necessarily remove any or all privacy and security concerns.

Because it’s near impossible for us to keep personal data out of the organizational reach, more reasonably, modern privacy might simply come to mean that personal data cannot be improperly utilized, processed, or accessed. Although counterintuitive, in order for this type of system to work, an organization must have complete command over its data. In other words, rather than knowing as little as possible, this new information governance approach seeks to know more in order to exert control over data.

The following insight highlights this paradox: The CIA’s system of managing classified information could arguably be very intrusive because of the oftentimes private nature of the content it manages, and the expansiveness of its reach. However, thanks to classification schemes and access privileges, data can only be accessed for its intended purposes, thus ensuring privacy is maintained.

Privacy by Design

Although it can be extremely effective, the governance approach to privacy is easier said than done. Privacy can’t just be an afterthought. It must be instituted by design, at the architectural level of an organization’s information strategy.

Before going down this path, organizations should consider convening an information governance committee to determine what kind of compliance and ethical values they want the latest information technologies to usher in. The committee can help define corporate policies on gathering, handling, managing and analyzing what is perhaps the most significant asset of the modern enterprise: information.

Concurrently, begin internal assessments of employee values on privacy, ethics, and fair use of data. You may need to account for significant cultural and regulatory variations across different regions and countries. Such findings can then inform and guide the information governance committee in creating policies down the line.

The Road Ahead

When I published the original article in Harvard Business Review, I hoped to jumpstart the information privacy conversation. When compared to Europe, it’s hard to ignore the fact that the U.S. perspective towards privacy is less developed. However, with data growth only increasing, and new ways to track, monitor, and analyze individuals springing up all the time, it’s a conversation that’s getting harder to avoid, within living rooms and boardrooms alike.

These reasons alone might not be enough to get the U.S to rethink privacy. But if money talks, fines of up to 4% of global sales should be at least enough to get the ball rolling once the GDPR hits next May. Let’s just hope that for companies who wait until then to start planning, it’s not too little, too late.

 

Information Governance Benchmark 2017: The Business Value of Long-Term Digital Information

In 2016 we were pleased to work closely with IGI Supporter Preservica to benchmark the state of the industry on the critical issue of governing and preserving long-term digital information. Our Benchmark Report exposed the troubling dynamic that while virtually every organization (98%) needs digital information for longer than ten years, very few (16%) have a viable approach.

This year, we dig even deeper, trying to get to the bottom of this dysfunctional dynamic and learn what IG professionals are doing about it.

The upshot?

Our 2017 research could not be clearer: long-term digital information is more important than ever. It's driving business value and protecting organizations from risk. It is also proliferating, and can be found in more business functions and systems that before. Finally, the consequences of failing to properly govern and preserve long-term digital information only grow graver, with the impact felt all the way up to the CEO and board of directors.

Here are some additional highlights:

It’s the C-suite that suffers most. IG professionals told us that their CEOs, General Counsels, heads of Records Management, CIOs, and Boards of Directors are those most affected by failure in this area. Dropping the ball on governing and preserving long-term digital information not only creates multiple sources of legal, security, and compliance risks, but it also starves the organization of the information raw materials it needs to understand what happened so it can intelligently predict what will happen. As big data technologies and techniques continue to radically improve our ability to harness our data, this failure will only grow as a grave threat to competitiveness and innovation.

Business value rises to compliment risk. Value and risk are two sides of the same coin –a dynamic that has played out since the very beginning of commerce itself. But while legal and regulatory requirements have long driven preservation and governance of long-term digital information, the quest for business value is rising as a major driver too. In fact, the vast majority of organizations (83%) realize (or plan to realize) direct business value from their long-term digital information, targeting areas like market analysis, product development, and customer service.

Proliferation across systems and functions. While it is no surprise that collaboration environments (e.g., file sync and share, enterprise content management) are identified by IG professionals as the most likely location for long-term digital information, we were surprised by other systems in the top five, including accounting and transactional systems. Long-term digital information is proliferating.

Awareness of technological solutions lags. Why do organizations struggle to realize business value from their long-term digital information? IG professionals told us that two of the biggest reasons are organizational immaturity and a lack of proper tools and technology. At the same time, they told us that capabilities like “ensuring readability and usability of information” and “proving authenticity and trustworthiness” are critical to their ability to govern and preserve long-term digital information. These are capabilities that can in fact only be delivered through technology, and in fact technology that has been designed specifically to address the range of challenges inherent to long-term digital information. These technologies are available today, and it is disappointing to see that awareness of them and access to them continues to plague organizations.

We have captured additional insights in a series of infographics that we encourage you to download and put to good use as you build support for solving this problem in your organization. It was a pleasure to work with Preservica on this research, and we hope you get value from its insights. We look forward to bringing you the next benchmark in 2018.

Click here to view & download the Preservica 2017 Benchmark Infographics in the IGI Community.

 

Guest Post: Preventing the Surprise Attack of the Email Monster

An Integro White Paper

Introduction
When one thinks of a monster, you likely drudge up some sort of creature that wreaks havoc at will, always lurking behind the scenes waiting for the most inopportune time to appear, then emerging and causing untold damage to everything in its path as it rages out of control. The worst kind of monster being the one that continues to grow unchecked.

Ironically, this same description fits company email when it is unceremoniously archived en masse. It sits quietly squirreled away in massive files, expanding at incredible rates, stockpiling seemingly harmless dialog. As the email archive balloons, it consumes ever more resources and then without warning surfaces surprising conversations that create a potentially harmful scenario for the company as it faces litigation. Fortunately, there is a way to effectively get control and manage this monster to reduce risk, avoid runaway archiving costs and improve litigation preparedness.

Five to six years ago, email management was thought of as an interesting idea but it seemed easier to stick with the prevailing philosophy of storing everything forever. Storage was believed to be cheap, search was easy and most tools to manage email were considered cumbersome.

What executives didn’t foresee when making this decision was that the exponential growth in content, combined with the increase in litigation activity and heightened threat of breach, would end up making the ‘store everything’ decision an unsustainable approach of monstrous proportions.

Doing The Math
According to the Radicati Group’s Email Statistics Report, 2015-2019, in 2015, the number of business emails sent and received per user per day totals 122 emails per day. This figure continues to show growth and is expected to average 126 messages sent and received per business user by the end of 2019.

When you consider an employee handles approximately 122 emails a day, the volume of email for a 5000-person organization over a work week of five business days would be more than 3 million emails. Over a year that would be more than 220 million emails.

The volume of business information being retained has come into focus as organizations see their Information Technology budgets rapidly being consumed by the ever-growing cost to store the burgeoning volumes of information.

Not only is archiving all your email expensive in terms of gobbling up today’s available dollars, it is also eating away at the organization’s ability to evolve since strategic initiative funding must be sacrificed to the burden of storage costs.

Frightening Thoughts for Corporate Counsel
When the Federal Rules of Civil Procedure were modified in 2006 to address the issue of electronically stored information (ESI), it changed the handling of electronic evidence which in turn changed the way cases are argued and evidence is collected and preserved. It became clear to the business world that eDiscovery was challenging, costly and extremely difficult to manage. Although the need exists to be ‘eDiscovery ready’---having proper governance and defensible preservation and disposition of ESI (including email)--- achieving success in this area still seems elusive for most organizations.

Besides the risk of over retaining information by archiving everything, it is simply too expensive during the eDiscovery process to sort through all the electronic water cooler chat that happens on a daily basis to find evidence germane to pending litigation. Any company that has ever had to write a check to cover eDiscovery costs knows they need to find a better solution than wholesale archiving of email content.

They also know that without changing their email management strategy, each eDiscovery will become ever more costly with more email to search through and more email that matches preservation criteria.

Enforcing email management polices has also been further complicated by the growth in the disconnected user base resulting from expanded access capabilities. Employees may be accessing the mail system from a smartphone, tablet or other existing or future devices or access points, yet organizations still need to enable email management policies regardless of how their employees are interacting with the system.

Attempts at Dealing with the Email Monster
To date, business policy regarding the retention management of email was established not based upon what was proper and best for the business, but instead upon the limited tools available to enforce policy. This unfortunate reality has fostered ineffective email management policies of the past decade including:

  • Keeping it all – the most common archiving mistake from the last decade which has caused the over-retention challenges we see in this decade.
  • Placing mailbox size quota on the whole mailbox--- ignoring the value of individual emails. When the users hit the limit and find themselves in ‘email jail,’ users sort by size and delete the largest emails. Thus keeping the clutter of smaller emails and likely losing important emails.
  • Personal over-archiving – many firms addressed the system storage problem by allowing users to save email in files on their local hard drive. This only enabled user over-retention and exposes firms to massive eDiscovery headaches and costs.
  • Deleting all email at “x” number of days – this obviously fails considering that records do exist in email and the company is wholesale disposing of them. It is also highly disruptive to end users and they’ll pursue workarounds causing even greater issues for information governance.

The above approaches fail considering that it is not the age, size, sender or recipient that determines the value of individual messages. The value of email messages, just like with paper, is determined by what the message says. Most messages are transient, and of fleeting value. A few emails document the business of the organization, and others are helpful to the users in performing their job duties. Thus, classification of email based upon content value is imperative. Two divergent camps have emerged:

  • Auto classification – while attractive for obvious reasons, this has proven unsuccessful due to the costs and level of effort required to train the auto classification software, and considering the highly unstructured, colloquial and brief nature of email.
  • Manual classification – While users know their email the best, many attempts have suffered due to the approaches and tools provided to enable the user to do this easily and quickly.

The best approach has proven to be an elegant blend of auto and manual classification. Automation and ease-of-use are critical, and the time expiration and size quota features must be leveraged intelligently. This, combined with executive support and good communications, enables firms to achieve the goal of proper email retention and governance, including defensible disposition of the majority of email as transient content.

Landing on the Critical Fix List
The original driver of email management was systems efficiency and regulations in the securities industry, which led to archiving. Archiving all email has simply proven untenable. The new drivers can be summarized as:

  • Reduce risk posed by email that was unnecessarily retained
  • Reduce eDiscovery costs of searching and reviewing oceans of clutter
  • Reduce runaway storage costs

Any one or a combination of these factors has caused email management to rise to the top of many organizations’ critical fix list.

Managing the Email Monster with Value-Based Information Governance
Most organizations are moving envelopes through their email system but they don’t know what is in them. With Integro Email Manager™, organizations gain visibility into what is inside the envelope so that informed decisions can be made, based on actual content versus basic email identifiers, and avoid an embarrassing and perhaps costly surprise email surfacing in the future.

Integro Email Manager offers value-based information governance that applies Auto Classification with Human Oversight™, customized to meet your specific business needs. It enables your organization to:

  • Properly retain and govern what’s important
  • Dispose of what you don’t need as early as possible
  • Avoid disrupting the productivity of the end user

When email is received, Integro Email Manager automatically evaluates the content of all messages and calculates its value. Typically this evaluation will only identify a few messages that qualify as relevant business communications – a business record. These few messages, that exceed the set probability thresholds, will then be declared and classified automatically as records. If Integro Email Manager’s confidence rating on a message is close to record caliber, a suggestion will be offered to the user with its confidence rating and suggested records category.

Importantly, the employee remains in control and can change the classification based on their personal knowledge of the email. This type of consideration is only necessary on a few of the messages received each day and only takes a moment. Users can also quickly tag messages as records when email is sent, or use their own folders to auto-tag messages as records. The same tagging method also enables users to keep messages longer in a centrally-managed, personal storage. The majority of messages will be auto disposed per a transient, short retention policy.

The Integro solution includes SmartAssist®, which uses contextual classification to provide suggestions. SmartAssist is initially trained with example emails but then continues to learn on the fly at the user level as it receives feedback based on user work patterns. SmartAssist is unique to Integro Email Manager and enables companies to gain the support of its workforce to achieve the goals of true value based retention.

Integro Email Manager eases cultural adoption because you can start with generous retention periods and refine policy overtime in a stepped fashion. Employees are able to remain in control of their individual work habits as they create and name their own folders they plan to use. With a click of a button these custom folders map to the corporate file plan. In addition to self-managed folders, users can tag the few important messages where they are, anywhere in the mailbox, to be retained longer for personal use or as company records. Most importantly, emails can be tagged as the message is sent and all internal recipients easily see the records designation.

Integro Email Manager (IEM) is the only proactive email content management solution for Notes, Exchange, and Office365, enabling organizations to keep what’s important and eliminate what’s not. IEM can govern email in place or can be integrated with leading ECM systems.

While this solution can assist companies across industries, it is an ideal fit for any company that has any one or combination of the following attributes:

  • Large base of email users; typically starting at around 2,000 employees
  • Regulated industries
  • Litigation risk or activity

 

 

Guest Post: Big Data From Employees Lead to Big Risk For Employers

This article was originally published on The Relativity Blog. It was written by Sam Bock, editor of The Relativity Blog and a member of the marketing communications team at kCura.

Between Wikileaks, tech experts, and the Federal Trade Commission, we have no shortage of sources reminding us on an almost daily basis that the Information Age brings both invaluable new resources and technology, and a significant threat to personal privacy. Data is everywhere, and it’s accessible by more entities than ever—including employers.

To get to the heart of how employees understand data privacy and how their online behavior at work can impact it, kCura recently commissioned a survey conducted by Harris Poll among 1,013 US adults age 18 and older who were employed full-time or part-time, working in a traditional office setting for at least 50 percent of the time, and are not freelancers (referred to as “employees” throughout).

We learned that although nearly all employees (98 percent) say their privacy is important to them, the majority (60 percent) have used their personal device in some way while connected to their company’s WiFi, which potentially sacrifices that privacy while at work. Here’s a look at the results and how employers can protect themselves against excess data proliferation.

Check out the full report for more insight into the data, a method statement for the survey, and more insights.

 

Guest Post – Information Governance and the Social Enterprise

Information Governance and the Social Enterprise
by Robert Cruz, Senior Director, Product Marketing of Actiance, Inc.

Another terrific gathering of information governance and records management thought leaders at the MER Conference and the IGI’s awesome Chief Information Governance Officer (CIGO) Summit in Chicago.

MER provided a great opportunity to present our thoughts on “Information Governance and the Social Enterprise”, reflecting upon the massive changes underway in the ways that organizations are communicating and collaborating through tools like Slack, WeChat, Skype for Business, and a dizzying number of new messaging tools appearing almost daily. This was not exactly mainstream MER content, leading to quite a few comments and inquiries before the session along the lines of:

“what does social media have to do with records management?”

“is there an information governance for the anti-social enterprise?”

“we don’t govern social content… our policy is to block it”

Which I attempted to address during the session, and will summarize here.

Key Point 1: Your employees are using LinkedIn, Twitter, Skype for Business – and WhatsApp and WeChat.

Today, more organizations are sanctioning the use of LinkedIn to reach prospects. They’re enabling Skype for Business conversations with customers that include video, voice, messaging, and app sharing. They are engaged in selling efforts with information delivered uniquely across mobile devices. In fact, one major bank indicates that they sent more IM than email last year. A recent survey from PwC indicates that more than 40% of respondents indicated a social media presence is important in their choice of a health care provider. And, today, WeChat has over 1 billion users around the world. Great, but why does this matter? It matters because governance is about managing information according to its value or risk. And the reality today is that more firms and employees are communicating and collaborating on channels outside of managed email and content management repositories – in some cases over channels that are not currently under governance controls.

Key Point 2: This is not just an issue for regulated companies. Business records are everywhere.

The idea that one can control social media or encrypted instant messaging tools is a new concept for some. And while it is true that regulated firms have progressed further with the idea of proactively capturing these non-email content sources to meet industry retention requirements, they are not alone. Public corporations should take note of SEC regulation Fair Disclosure (FD) and the case of Netflix. All organizations are no doubt aware of employment and contract laws and personal data privacy protections. The key point being that social content can not only trigger regulatory action based upon misuse, but also as a source in US civil litigation where judges are ruling that social and messaging sources are discoverable, and where those who haven’t taken appropriate steps to preserve these sources have suffered the consequences. Unfortunately, the reality of business records expressed as 140 character Tweets has arrived (and, yes, even excluding those emanating from Pennsylvania Avenue at 2:30am)

Key Point 3: Your policies should be applicable to your communication tools.

Have you touched your employee communications or records retention policies lately? If not, it may be time to ensure that your policies are keeping up with the ways individuals are doing their job today. Policies designed for email may need to reviewed to ensure these rich tools can be used by specific job holders. Similarly, retention policies may be worth a touch up as you consider the possibility that a conversation that includes information covered under a non-disclosure may be taking place right now on Skype for Business.

Key Point 4: Your governance tools must be designed for today’s communications.

Equally important, organizations should be asking whether the technologies they currently use to capture, retain, supervise, and discover business records (or data that might be responsive to civil litigation) were designed for the communications of a different era. Those continuing to leverage technology designed 10-15 years ago may be in for a big headache the first time a large legal matter or regulatory inquiry arrives that requires the review and production of social media, instant messaging, or voice communication.

We look forward to continuing to help organizations meet these new InfoGov challenges created as your organization’s patterns of communication and collaboration continue to evolve.

 

Guest Post: Valuation of Information

The following is part of our guest blog series.

Jane C. Allen and Brian Fox, who advise organizations on e-discovery, forensics, and a broad range of additional IG topics in their roles at PwC, wrote this piece, and it is published as it was provided. PwC is an IGI Supporter

Information valuation is the topic of the keynote address at the CIGO Summit. PwC will also be there talking about their model, and we also have a deep dive session on models and calculators that are in use now at several organizations. There are still a few seats left -  register here. 

The Information Economy

It’s often been said that we are in an information economy. But what is the actual value of the information that’s driving it, and how do you measure it?

Is your information an intangible asset such as goodwill? Is it related to the volume or recency of data? Setting aside the accounting implications of information value measurement on balance sheets and overall company valuation, the idea of being able to use valuation as a means of weighing the economics of our own efforts around information governance is compelling.

That’s why we created this framework, which we call VOI — valuation of information.

(Some) Information Has Value

The notion of information having business value is not new.

Consider the willingness of investors to buy stocks in companies that hold information — even in apparent contravention of their financial performance. Or the large-scale IPOs or acquisitions of data-based companies (often devoid of significant physical assets), even with formal accompanying statements that the company may never make a profit.

There are countless other examples (both legal and illegal) where data is valued — bought and sold, for commercial purposes. But there’s a missing piece to the discussion, which is the implication that information is somehow a monolithic thing. Anyone who works in the field of information governance knows that nothing could be further from the truth.

All Information Is Not Created Equal

Let’s look at some examples. Some information is highly valuable: Think customer buying activity data or the explosive growth of “Internet of Things” devices carefully collecting and curating data on our every move. These are the data we expend significant effort and resources maintaining, protecting, mining and analyzing.

Some information could be highly valuable, if only the attributes of the data were a little better — better quality, a larger population, a little more normalized, a little better managed. (Think of the potential, for example, of activity trackers that collect geolocation, activity, weight, demographics, etc.)

Some information has no value, or at least none that you can perceive today. (We’ve never met a company that argued when we showed them that a very large percentage of their enterprise information went unused for five years or longer.) Even if there were some “secret gems” hiding in the oceans of dead data, expensive work would need to be done — in forms of both time and money — before you knew if you could extract a net value.

Some information costs you money, either because it is misleading, inaccurate, too inaccessible or has too great a noise-to-signal ratio and therefore impairs your ability to find truly valuable information.

No Assets Without Liabilities: It’s True of Information, Too

Many companies employ third parties at significant cost to perform data analysis that is too difficult for them to produce on their own. Many are mindful of the potential risk exposure that could arise in the wake of a cyber-breach, and are forearming themselves with cyber-insurance.

Clearly, information valuation is fraught with practical difficulties. If the aim is to value information assets, we must also be willing to consider information liabilities. We must consider the ways in which information can be improved (or can deteriorate) — and how that could impact its value over time. And crucially, we must account for one of the particularities of information: the fact that, unlike other assets, the same information can be used in many different cases — with a commensurately accretive value.

What’s needed is a systematic approach that enables a company to evaluate units of information — one that acknowledges imperfections, reveals opportunities and guides our resource allocation in a rational way. In this spirit, we offer a framework for the Valuation of Information (VOI).

The VOI Framework

Our VOI framework is composed of twelve dimensions grouped into four categories. The attributes are used to measure the business value of the information in the service of a specific use case.

The four categories are:

  1. Information Scope. How closely does the breadth (in time and population), depth and completeness of the information match the ideal data set for a given use case?
  2. Information Quality. How well does the quality of data elements, their structure and the traceability of the information support confidence in the analysis for a given use case?
  3. Information Accessibility. How easy is it to access, analyze and manipulate the information for a given use case, and how easy is it to integrate the information with other key systems in that use case?
  4. Information Scarcity. Sometimes it is the scarcity of information that drives its value. In such use cases, this category measures how unique the information at hand is, both today and into the future.

PwC Valuation of Information Model

Put VOI to Good Use

We hope this new VOI framework will help companies think differently about their information and explore new use cases that could bring needed attention to potentially hidden value, previously unexplored. And while we acknowledge that there is much room for debate and refinement, we think this is a meaningful first step to the process of credibly tackling information valuation — with potential for real-world, short-term benefits.

Information valuation is the topic of the keynote address at the CIGO Summit. PwC will also be there talking about their model, and we also have a deep dive session on models and calculators that are in use now at several organizations. There are still a few seats left -  register here.