As we start a new year, many vow to make significant changes as part of their New Year’s resolutions. A top one is often the vow to lose weight, where earnest people from all walks of life attempt to focus on either dieting or exercise—but often not both.
This binary approach is similarly seen in the realm of e-discovery, where many practitioners focus on either reigning in e-discovery costs or taking charge of their records management regime, but not both. Here too, the nexus between the reactive firefighting of e-discovery and the proactive good data management hygiene is often lost, as the mandate is dispersed between differing functional groups (legal, IT, information security, records management, etc.). This is where the emerging umbrella concept of information governance comes into play, serving as a way to combat these information risks along a unified front.
- Discovery Risks: Under the discovery realm there are any number of potential risks as a company moves along the Electronic Discovery Reference Model (EDRM) spectrum (i.e., identification, preservation, collection, processing, analysis, review and production), but the most lethal risk is typically associated with spoliation sanctions that arise from the failure to adequately preserve electronically stored information (ESI). There have been hundreds of cases where both plaintiffs and defendants have been caught in the judicial crosshairs, resulting in penalties ranging from outright case dismissal to monetary sanctions of millions of dollars, simply for failing to preserve data properly. It is in this discovery arena that the failure to dispose of corporate information, where possible, rears its ugly head since the e-discovery burden is commensurate with the amount of data that needs to be preserved, processed and reviewed. Some statistics show that it can cost as much as $5 per document just to have an attorney privilege review performed. And, with every gigabyte containing upwards of 75,000 pages, it is easy to see massive discovery liability when an organization has terabytes and even petabytes of extraneous data lying around.
- Privacy Risks: Even though the U.S. has a relatively lax information privacy climate, there are many laws that require companies to notify customers if their personally identifiable information (PII), such as credit card or social security numbers, have been compromised. For example, California’s data breach notification law mandates that all subject companies must provide notification if there is a security breach to the electronic database containing PII of any California resident. It is easy to see how unmanaged PII can increase corporate risk, especially as data moves beyond U.S. borders to the international stage where privacy regimes are much stauncher.
- Information Security Risks: Data breaches have become so commonplace that the loss or theft of intellectual property has become an issue for every company, small and large, both domestically and internationally. The cost to businesses of unintentionally exposing corporate information climbed 7 percent last year to over $7 million per incident. Recently, senators asked the Securities and Exchange Commission (SEC) to "issue guidance regarding disclosure of information security risk, including material network breaches” since “securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share." The senators cited a 2009 survey that concluded that 38 percent of Fortune 500 companies made a "significant oversight" by not mentioning data security exposures in their public filings.
Who’s in Charge?
Information governance as an umbrella concept helps to create better alignment between functional groups as organizations attempt to solve these complex and interrelated data management challenges. The first step is to determine ownership of a consolidated information governance approach. For many organizations the champion will be the general counsel. For others it may make sense to vest control in the chief compliance officer, if there is one or, alternatively, the chief information officer.
While information governance can assuredly increase the business value of corporate information, the biggest benefit is seen in the reduction of an increasingly interrelated array of information risk categories. While it’s possible to tackle each risk category on its own, it’s becoming a best practice to leverage an information governance umbrella framework in order to gain alignment and harness formerly fragmented budgets.