As we start a new year, many vow to make significant changes as part of their New Year’s resolutions. A top one is often the vow to lose weight, where earnest people from all walks of life attempt to focus on either dieting or exercise—but often not both.
This binary approach is similarly seen in the realm of e-discovery, where many practitioners focus on either reigning in e-discovery costs or taking charge of their records management regime, but not both. Here too, the nexus between the reactive firefighting of e-discovery and the proactive good data management hygiene is often lost, as the mandate is dispersed between differing functional groups (legal, IT, information security, records management, etc.). This is where the emerging umbrella concept of information governance comes into play, serving as a way to combat these information risks along a unified front.
Gartner, a leading technology research firm, defines information governance as the “specification of decision rights, and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information, … [including] the processes, roles, standards, and metrics that ensure the effective and efficient use of information to enable an organization to achieve its goals.”
More simply put, what were once a number of distinct disciplines—records management, data privacy, information security and e-discovery—are rapidly coming together in ways that are important to legal departments. It is the legal department that is often acutely concerned with the various risks attendant to the many uses of electronic information, ranging from security to retention and destruction. In-house counsel are within the department that is most intimately concerned with mitigating and managing information risk, which is comprised of a number of formerly discrete categories:
- Regulatory Risks: Whether an organization is in a heavily regulated vertical or not, there are a host of regulations that it must navigate to successfully stay in compliance. In the U.S., these include a range of disparate regimes, including the Sarbanes-Oxley Act, Health Insurance Portability and Accountability Act, the Securities and Exchange Act, the Foreign Corrupt Practices Act and other specialized regulations, any number of which require information to be kept in a prescribed fashion, for specified periods of time. Failure to turn over information when requested by regulators can have dramatic financial consequences, as well as negative impacts on an organization’s reputation.
- Discovery Risks: Under the discovery realm there are any number of potential risks as a company moves along the Electronic Discovery Reference Model (EDRM) spectrum (i.e., identification, preservation, collection, processing, analysis, review and production), but the most lethal risk is typically associated with spoliation sanctions that arise from the failure to adequately preserve electronically stored information (ESI). There have been hundreds of cases where both plaintiffs and defendants have been caught in the judicial crosshairs, resulting in penalties ranging from outright case dismissal to monetary sanctions of millions of dollars, simply for failing to preserve data properly. It is in this discovery arena that the failure to dispose of corporate information, where possible, rears its ugly head since the e-discovery burden is commensurate with the amount of data that needs to be preserved, processed and reviewed. Some statistics show that it can cost as much as $5 per document just to have an attorney privilege review performed. And, with every gigabyte containing upwards of 75,000 pages, it is easy to see massive discovery liability when an organization has terabytes and even petabytes of extraneous data lying around.
- Privacy Risks: Even though the U.S. has a relatively lax information privacy climate, there are many laws that require companies to notify customers if their personally identifiable information (PII), such as credit card or social security numbers, have been compromised. For example, California’s data breach notification law mandates that all subject companies must provide notification if there is a security breach to the electronic database containing PII of any California resident. It is easy to see how unmanaged PII can increase corporate risk, especially as data moves beyond U.S. borders to the international stage where privacy regimes are much stauncher.
- Information Security Risks: Data breaches have become so commonplace that the loss or theft of intellectual property has become an issue for every company, small and large, both domestically and internationally. The cost to businesses of unintentionally exposing corporate information climbed 7 percent last year to over $7 million per incident. Recently, senators asked the Securities and Exchange Commission (SEC) to "issue guidance regarding disclosure of information security risk, including material network breaches” since “securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share." The senators cited a 2009 survey that concluded that 38 percent of Fortune 500 companies made a "significant oversight" by not mentioning data security exposures in their public filings.
Who’s in Charge?
Information governance as an umbrella concept helps to create better alignment between functional groups as organizations attempt to solve these complex and interrelated data management challenges. The first step is to determine ownership of a consolidated information governance approach. For many organizations the champion will be the general counsel. For others it may make sense to vest control in the chief compliance officer, if there is one or, alternatively, the chief information officer.
In any case, the owner must be able to:
- Get C-Level buy-in
- Have the organizational savvy to obtain budget
- Be able to define “reasonable” information governance efforts, which requires both legal and IT input
- Have strong leadership and consensus building skills, because all stakeholders need to be on the same page
- Understand the nuances of the business, since an overly rigid process will cause employees to work around the policies and procedures
In the end, it’s less important to argue about who should own the information governance function. Instead, it’s critical to have the mandate clearly vested in an entity passionate about bringing change to the organization. Otherwise, it’s too easy for the information governance role to get lost in the shuffle of operational politics.
Legal departments aren’t typically known for having large capital budgets to take on proactive projects like the ones encompassed by information governance. Instead, they often have seemingly inexhaustible operating budgets to put out fires like those typically seen when reactive e-discovery matters crop up. However, this reactive approach is increasingly frowned upon by cost-conscious organizations looking to control episodic costs.
A key first step is to tap into and then leverage IT or information security budgets for archiving, compliance and storage. There are likely ongoing projects that can be successfully massaged into a larger information governance play. Next, it’s often helpful to convert some of the reactive e-discovery costs into the creation of proactive and repeatable business processes. Here it’s possible to leverage enterprise-class technology to operationalize the episodic and often chaotic e-discovery costs, thereby showing both a positive return on investment and establishing this as yet another pillar of a foundational information governance strategy.
While information governance can assuredly increase the business value of corporate information, the biggest benefit is seen in the reduction of an increasingly interrelated array of information risk categories. While it’s possible to tackle each risk category on its own, it’s becoming a best practice to leverage an information governance umbrella framework in order to gain alignment and harness formerly fragmented budgets.
As we enter 2012, there is no doubt that information governance should be an element in building an enterprise's information architecture. And, perhaps different from fleeting weight loss resolutions, savvy organizations should vow to get ahead of the burgeoning categories of information risk by fully embracing their commitment to integrated information governance.