From protecting sensitive customer data from cyber threats, to complying with data privacy laws, corporate information governance efforts are quickly becoming “must do” projects. While these projects often start with compliance teams, they also share many of the same drivers that spur initiatives within the legal department. Can legal teams leverage existing and emerging information governance projects for their own e-discovery needs? And if so, how can they produce measureable benefits from them?
While most corporations have bought into the concept of information governance, in practice it remains ethereal and abstract, with very little consistency from person to person in how it is defined. Because of this, there are often a lot of false starts within a corporation; committees are formed to study it and put a strategy in place, but projects fall short of implementation due to a lack of metrics. Despite this, there are practical steps corporations can take to show measurable progress in information governance. Many of these steps can be driven by the legal department, delivering immediate benefits to that group, and further benefits toward the greater information governance vision for the entire organization.
Companies that have been hit the hardest by data breaches, a high volume of litigation, or extensive internal investigations have been forced to take an active approach to information governance, and the most sophisticated among these have begun to appoint chief data officers to lead the charge. However, the majority of corporations typically take a collaborative approach to tackling information governance, pulling in C-level stakeholders from various departments, including records and compliance, IT, legal, security and others. Often the chief operations officer or chief information officer leads these efforts, but regardless of who is spearheading the initiatives, they still tend to flat line before any meaningful results are realized.
As an example, one client I work with has an ongoing struggle with its email archive platform. Due to the lack of attention that has been given to remediating data and keeping the archive manageable, it takes the company three weeks just to extract the data from the archive for e-discovery purposes. When Securities and Exchange Commission investigators give a 72-hour deadline to respond to a query, the company is stuck in an impossible quandary. At the start of every new investigation, the team is already three weeks behind deadline. The size of the archive at this client is worsening every day, and prohibiting the company from addressing the problem, because it simply seems too big to undertake. In order to deal with this issue, key stakeholders must act with a day one forward approach for new data, and a separate remediation effort for legacy data. But without the involvement of the legal department to emphasize the critical nature of the problem, IT can’t move the initiative forward.
This is a perfect illustration of the intersection between legal and information governance, and the importance of legal’s role in moving these projects forward. Legal often has access to budgetary resources, headcount or software platform resources that can be applied to successfully completing a remediation, software update or other data management efforts. Below are two steps that may be taken within the legal department that will solve a tactical pain point today and build toward the future vision for information governance. The second part of this article will introduce two additional steps, as well as provide examples highlighting how these projects have been correctly implemented within other organizations.
1) Get rid of legacy data and adjust policy going forward. A critical first step in information governance is dealing with legacy storage by refreshing backups, eliminating storage tapes and enforcing archiving policy. In order to remediate legacy back-up tapes as an information governance project, legal and compliance must collaborate to take inventory of and address any regulatory and legal hold obligations on the data. This process can also be a forcing function to standardize legal hold policies.
For example, if an organization has 100,000 back-up tapes, perhaps only 100 of those are subject to current legal holds. At any time, a matter may arise that lays claim to 60,000 of those tapes; but if they are remediated as part of an overall (and enforced) archiving policy before that happens, they can’t fall under future legal holds. The key is to take these actions as soon as possible, and put enforceable, sustainable data retention policies in place for all data moving forward. Taking this kind of proactive approach can save a company millions of dollars in the long run.
2) Bring unstructured data under control. Every organization contains unstructured data that includes confidential or personally identifiable information that may be subject to privacy laws, such as the Health Insurance Portability and Accountability Act in the case of healthcare organizations. Banks are another example of corporations with a lot of regulated data – such as credit card information – to which many people have access. With serious data breaches occurring more frequently and no industry professing immunity to these attacks, new laws are emerging that prohibit and/or regulate the storage of this type of data. In addition to the extensive costs that arise during the aftermath of a data breach, companies now have legal and regulatory obligations for how they manage sensitive information.
A recent study by Ponemon Institute and IBM found that the average data breach in the U.S. costs $5.9M, or $200 per breached record. This issue isn’t going away, and introduces a critical information governance pain point. Taking the time to scan the file shares for sensitive data, identify critical information and get it under lock and key can help mitigate the substantive risks of loss of IP and trade secrets, and the procedural risks involved with managing a data breach. In today’s world, this is something that needs to be done for legal and regulatory reasons and is a core building block toward overall information governance.
Accessing data, understanding it, classifying it, finding business value in it, and taking action on it are really at the heart of what information governance is all about. The legal team plays an important role due to the fact that the tools needed to effectively implement and sustain this process are the same ones used to conduct e-discovery. Part 2 of this series will discuss additional steps the legal department can take to show immediate results while bolstering information governance.