Information Governance Myths Busted

Information Governance: Busting Three Big Myths

[vc_row][vc_column width=”1/4″][vc_row_inner][vc_column_inner width=”1/1″][imageeffect image=”3482″ target=”_self”][vc_column_text]

Guest Blogger:
Phil Favro, Recommind

[/vc_column_text][/vc_column_inner][/vc_row_inner][/vc_column][vc_column width=”3/4″][vc_column_text]Information governance is increasingly recognized as vital to an organization’s ability to realize value from its information in a way that addresses legal, operational, and other forms of risk. Nevertheless, many still view IG as a theory rather than an action. While many information governance leaders (like the IGI) are working to promote information governance action and combat common misconceptions, nothing speaks as powerfully as the massive and disastrous data breaches and policy failures splashed across the headlines over the past several months. Those headlines – particularly those involving Sony and the U.S. State Department – painfully bust three of the most common IGI myths.

Myth No. 1: Information Governance is eDiscovery Preparedness

IG is conflated with eDiscovery preparedness, which leads some to dismiss IG as the only the province of repeat litigants. The “Sony Hack” helps us declare this myth busted.

In the Sony debacle, a hacking group infiltrated the corporate network of Sony Pictures late last year removing,[/vc_column_text][/vc_column][/vc_row][vc_row][vc_column width=”1/1″][vc_row_inner][vc_column_inner width=”1/1″][imageeffect image=”3488″ align=”aligncenter” target=”_self” width=”600″][vc_column_text]Slowly and painfully, the group leaked that confidential information, which includes executive compensation, employee social security numbers, unreleased movies, and a substantial collection of corporate emails. The fall-out has been both swift and embarrassing, with Sony still struggling to emerge from the public relations disaster caused by the hack.

Could the Hack have been prevented or the damage it caused minimized through IG? While the answer is a resounding yes, the IG lesson from the Sony Hack is not related to eDiscovery. Instead, the Sony Hack teaches the importance of eliminating unnecessary email stockpiles. As Sony’s general counsel (who, incidentally, had over 4,000 “deleted items” from her email account stolen) apparently explained in one of the now disclosed emails:

“[T]he issue behind our moving in this direction is not one of whether the company should continue to retain its records etc. It is about the fact that email is not the correct repository for this . . . While undoubtedly there will be emails that need to be retained and or stored electronically in a system other than email, many can be deleted and I am informed by our IT colleagues that our current use of the email system for virtually everything is not the best way to do this.”

The best way to “defensively” guard the company’s information blindside is to implement an “offensive” email minimization program. While getting rid of unnecessary email would undoubtedly help the company in future eDiscovery efforts, it would also ameliorate the security challenges exacerbated by “unwisely hoarding internal communications” and other data. As the Sony Hack makes clear, information governance is much more than eDiscovery.

Myth No. 2: Information Governance is Unnecessary in the Age of Big Data

Another myth dispelled by the Sony Hack is the idea that information governance is unnecessary in the age of big data. Big data advocates have increasingly questioned whether governance (with its focus on classification to Sidebar-Three Information Governance Mythsenable keep v. delete decisions) is necessary given advances in search and storage technologies. However, the Sony Hack starkly demonstrates how ungoverned data stockpiles can quickly become a security problem.

Big Data or not, the need to identify, protect, and manage in a special way IP (intellectual property), PII (personally identifiable information), and other sensitive, proprietary, and generally valuable information has not gone away. In fact, the need has arguably increased as more business processes have become fully digital and thus ripe for loss and theft.  As suggested in a recent article, one method for doing so could involve adding “layers of encryption to protect internal traffic from prying eyes” and isolating confidential materials “from central data-storage systems connected to the Internet, making it harder to find.” It could also include the use of artificial intelligence, machine learning, and automated technologies, all of which facilitate the identification and isolation process.

While Big Data is here to stay, the Sony Hack shows that Big Data plans are only realistic and responsible in the context of a unified governance strategy of policy, practice, and technology.

Let’s consider this information governance myth busted.

Myth No. 3: Information Governance = Information Management

A third myth regarding information governance is that it is merely another name for information management. Such a misconception overlooks the impact of consumerization trends on the workplace and the risks that mobile devices and personal clouds can pose for organizations. The recent revelation that Hillary Clinton used a personal email account to conduct government business as secretary of state exemplifies why policies surrounding the use of devices and clouds must be baked into the enterprise’s information governance program.[/vc_column_text][vc_column_text]In what has been referred to as “emailgate,” Mrs. Clinton apparently used a private email address in lieu of an official government account during her time as secretary of state. The immediate effect of this practice was that “her personal emails [were not] preserved on department servers at the time, as required by the Federal Records Act.” Beyond issues with record retention, this practice has also complicated the government’s tasks of searching for and identifying responsive information for legal inquiries. In addition, experts have opined that Mrs. Clinton’s personal email account was more vulnerable to hackers than a “secure government account.”

Such problems are somewhat analogous to the information retention, eDiscovery, and security challenges created by employee use of mobile devices and personal clouds. If not properly addressed, devices and clouds can undermine legal obligations and complicate preservation and production efforts in litigation. They can also leave data more vulnerable to misappropriation.

Organizations cannot address these issues without actionable information governance policies, supported by intelligent, user-friendly enabling technology. Policies need to clearly delineate the parameters of work to be performed on a personal mobile device or cloud. This includes audit and enforcement mechanisms to gauge policy observance and disciplinary measures for noncompliance. These policies should also define the nature and extent of the enterprise’s right to access, retain, and/or destroy data on the device or cloud, and to disable a device or cloud during or after employment. In addition to strengthening its security protocols and eDiscovery preservation measures, these policies will also help an organization better maintain and enforce its retention schedules.

In short, information governance is not synonymous with information management. Myth busted.

Beyond the Myths: Taking IG Action

There should be little doubt that basic IG programs with simple policies and effective, enabling technology would have minimized the problems seen in the Sony Hack and emailgate. However, these extraordinary events should not be viewed as exceptions to the rule, but examples of the rule itself. As evidenced by the recent Ashley Madison data breach, these scenarios seemingly repeat themselves daily across the globe. Investment in IG is perhaps the only way for organizations to position themselves to monetize their data and remain competitive while addressing the new threats created by the volume and value of our information and the new ways we want to use and access that information. It is time to move beyond the myths and take IG action.[/vc_column_text][/vc_column_inner][/vc_row_inner][styledbox type=”general_shaded” icon_color=”rgba(0,0,0,0.09)”][vc_column_inner width=”1/1″][vc_column_text]Editor’s Note:

The IGI thanks Phil for this excellent contribution. His insight into common myths about IG and how they are easily “busted” by even a cursory examination of recent events is incredibly value for our community. To take action on IG, check out the resources on the IGI Community including for example, our just-published Benchmarking Report that will help you understand where you rank among your peers in IG program maturity. Also, check out Phil’s other writing on the excellent Recommind blog.[/vc_column_text][/vc_column_inner][/styledbox][/vc_column][/vc_row]