Information Governance in 2020

Gentle readers:

My thoughts on this subject were just published in the Fall issue of The Ethical Boardroom.  Here is a link: http://tinyurl.com/q87qo4q
As always, your feedback, kudos, and brickbats are welcome.

Thanks for your interest,

Gordy

Article on Document-Level Redaction of Electronic Documents

On June 30 online, KM World published an  article I wrote on Document-Level Redaction of Electronic Documents.  While this is not everyone's cup of tea, it is an important tool for many RIMmers.  [As it has fallen out of use a bit, I remind my gentle readers that RIM is an acronym for Records & Information Management.]

The article can be found at http://bit.ly/1JkeChc.

As always, your comments are valued.

Thanks for reading.

The Most Dangerous Case of Over-Retention

10Jul2015

Today the United States Office of Personnel Management revealed that its data breach affected tens of millions of individuals.  The OPM’s Director resigned.

The stolen data included personal information about:

• Current government workers
• Former government workers
• Relatives and associates of current and former government workers

The OPM had information about the last group because they investigated people close to government workers who requested security clearances.  Such investigations seem reasonable because interpersonal relationships can be more compelling than patriotism.  If a government worker is going to be trusted with state secrets, it seems worthwhile to inquire whether s/he has close ties to people who support our enemies.

The legitimacy of collecting this Personally Identifiable Information (PII) – including Social Security numbers – is not the question here.  The question is:  How long should the PII have been retained?

According to media reports, the oldest of the stolen data is decades old.  Had it passed its usefulness?  Was there any reason to keep it?  Was there a Records Retention Schedule at the OPM?  Was data disposal ever practiced?

Unknown millions of Americans are now vulnerable.  Here’s a personal example:  In 1979 and 1980, my wife worked for the U.S. Census.  The position ended in June of 1980, and she has not worked for the public sector since that time.  Fast forward 35 years, and we are told that nefarious hackers may have her Social Security number, birth date, and other PII.

It is beyond my ken to imagine a reason the OPM should have retained my wife’s data.  It could not currently serve a legal, regulatory, operational or historical purpose.  Just the opposite: for decades, the unneeded PII has needlessly used tax dollars to pay for storage, slowed searches, loaded servers, and more.  The breach will entail tens of millions of notifications, credit monitoring, loss compensation, and more.  What a waste!  It reminds me of my friend’s comment when we noticed five DOT workers watching a guy with a shovel fill a pot hole: “Your tax dollars at work.”

I don’t say this to disparage government workers.  I can personally attest that most are hard-working, dedicated, and honest folk who give more than they get.

The OPM’s practice of records management gets a much lower grade.  Surely there will be investigations that try to assign blame, fix fallacies, and improve bad practices.

I suggest that the improvements start with a revised Records Retention Schedule and an emphatically enforced records disposal program.  

IG: The Whole Is More Than the Sum of Its Parts

The following article appears -- in slightly different form -- as the lead contribution to a larger work on Information Governance published online by the International Legal Technology Association. Find it at http://epubs.iltanet.org/i/503802

Written with assistance from Ronke' Ekwensi

The whole is more than the sum of its parts:  That’s Information Governance.  Like a jigsaw puzzle, the pieces are fragmentary, but they combine to create a whole, and sometimes beautiful, picture.

But what is Information Governance?  The term has been bandied about to the point where confusion reigns:

·         A technologist may say it is data governance or content management

·         An attorney may equate it with eDiscovery or defensible disposition

·         A Records specialist will frequently define it as best records practices, using Generally Accepted Recordkeeping Principles

Each definition contains a sliver of truth, but none encompasses the meaning.  Information Governance is all of these things and more.  In its most useful form, however, IG is not a thing.  It is not a technology, a policy, a process, or a tactic.

In its essence, Information Governance is the integrative effectiveness varied stakeholders create when they cooperatively process information and share resources for the good of their organization.

A single area of interest does not need governance.  Governance means a structure and defines relationships.  IT, Legal, Records, Privacy, Security, Compliance Finance, Audit  and other areas can manage their information alone.  An enterprise requires Information Governance to harness the power contained in its information throughout these departments.  This applies to documents, system data, reports, Tweets, and any other kind of information created.  The power IG harnesses is directly proportional to the harmony and efficiency between the departments.

Information Governance takes a holistic view.  It is not a function of IT, Legal, or any other group.  IG considers the needs and resources of each stakeholder, drawing out high function and high productivity.  In doing so, IG roots out redundancy – duplicated and conflicting technologies, processes, policies and efforts.  It reveals gaps and vulnerabilities.  The result is a synergy that is more effective and productive than was possible with independently-acting entities and silos of information.  The whole is more than the sum of its parts. 

[SIDEBAR]

Why is Information Governance’s Importance Significant-to-Critical?

Organizations need to extract value from their data and protect it. 

Key groups need quick access to their information– without being distracted by useless data – but many lack the expertise to make that happen.  This is not surprising.  Specialists in finance, operations, compliance, legal matters, and others are highly trained in their disciplines.  However, their training rarely includes information technology, managing Big Data, and system optimization.

Conversely, technology specialists rarely train on the intricacies of law, compliance and privacy.  Some organizations lack adequate security expertise to counter outside hacking and internal pilfering of proprietary data.

Even when all needed skills exist within an enterprise; rarely do they fit together hand-in-glove.  Consequently, the expertise applies to only parts of an organization, and it may be duplicated in disparate parts.

Information Governance improves this fragmentation.  Its systematic approach includes all appropriate departments.  IG considers each area’s unique needs while finding common solutions.  This comprehensive, holistic approach improves data use, management, and security across the information stakeholders.

For the enterprise, it brings coordination and efficiency, extracting more value from the data while prescribing adequate security and privacy measures.  That’s why it is often critically important.

[END SIDEBAR]

Steps to IG

Unfortunately, there are obstacles to this success, and they come in many forms.  Common ones include:

•         Technical limitations: Existing systems and networks may not have the capacity, capabilities, or interoperability to work with information from the array of stakeholders
•      Perceptual limitations: Non-technical stakeholders – such as many attorneys and records managers – may not understand the technical limitations and/or capabilities
•          Inconsistent policies: Different stakeholders may work under different sets of rules
•          Ucommitted leadership: Without strong sponsorship from an organization’s leader(s) the traditions of isolation and separate interests are unlikely to wane
•           Evolving regulations, especially for privacy and security: Policy refreshment may not keep up with new rules, especially when they apply to old data
•          Vocabulary: Different groups often have different words for the same thing.  Alternately, one word can mean something different to different stakeholders.

Given these obstacles, it is no wonder that Information Governance requires special vision and special skills.  It is neither for the weak nor the faint-of-heart.  It requires commitment, resources, and expertise.  It’s an important goal with huge rewards, but no one ever said it was easy.

Fortunately, there are proven methods for implementing Information Governance.  These methods invoke guidelines, processes, and strategies.  They are flexible and scalable.  Because no two organizations’ information needs are the same, no two applications of these methods are the same. 

The ways to implement Information Governance are as varied as the organizations that seek the challenges and claim the rewards.  These methods, however, are sound and when applied, they greatly benefit the organization and reward the effort.

Building IG

The first step is to perform a Current-State Assessment:

• How big is the organization’s universe?  
• How functional is it?  
• What works and what doesn’t?  
• What are the communication channels, and how well do they work together?  
• What resources are available, including technical, monetary, and human?  
• From where does the motivation to change come?  
• What is the pain point or trigger event? 

A data map is helpful here, as is an inventory of systems.  A Current-State Assessment identifies whether there is a high-ranking IG champion in the organization.  Similarly, commitment of the stakeholders needs measuring.  Are there any stonewallers who absolutely refuse attempts at change?

A Current-State Assessment may also consider an organization’s ability to address outside concerns.  Is the entity competitive in the marketplace?  Does it extract top value from its data?   Is it compliant with regulations? Does it defend against intrusions and theft?

Step Two:  Define the desired state.

• What is the best possible outcome?  
• What would functional Information Governance look like in the organization?  
• ho would participate, and who would be left behind?  
• Is there a cutoff date for implementation?  
• If so, how much integration can be accomplished in a well-defined time period?  
• How does IG contribute to enterprise objectives?  

A tightly articulated “Desired State” description is essential for many reasons; not the least of which is to see whether there will be a positive Return on Investment.  It also defines “done”: the completion of initial IG.

Having established these bookends, it is time for a Project Plan.  The principles of Project Management are well established and effective.  They are applicable to implementing Information Governance.

However, Project Management is an art as well as a science, and IG projects lean more toward the former than, say, hardware selection and installation.  By definition, creating IG depends on coordinating groups with wide variety.  Some groups may even oscillate or mutate in process. 

This is why the IG Project Manager must be specialized or have specialized resources on the team, such as a certified Information Governance Professional.  Even choosing a solution model is very different from, say, a software or system implementation.  The IG leader applies models to develop specific, sequential tactics that move an organization from conception to completion.  There is no magic.  An IG project uses realistic, step-by-step tactics to reach the goal.

The Project Management team must be adept at communication.  It must speak to each stakeholder in its own language, no easy task.  For example, the word “archive” means different things to different groups.

·         For technologists, it often means storing large quantities of data, usually in a format that does not require frequent or rapid access.  It may be long- or short-term storage.

·         For records managers, “archive” refers to a small number of records organized effectively and preserved securely, for a very long time. 

·         Attorneys may consider an “archive” to be the reference library of legal matters or cases. 

The team managing an IG implementation will be most effective when the members use vocabulary appropriately for each group.  Alternately, the stakeholders may agree to an IG glossary to facilitate communication.   

Project Models

Remember, Information Governance occurs between groups.  Within a single entity, it may be called Case/Matter Management, Cybersecurity, Records Management or Data Optimization.  But organizing groups into a mutually enhancing coalition is different.  Because enterprises vary so widely in their structure, history, strengths, and weaknesses, there are no two identical solutions.  Part of the “art”, mentioned above, is matching the right solution model to the organization.

Of the five current process models detailed below, one fills an organization’s need for Information Governance best.  In most cases, the others will come into play, but the most potent takes the lead and guides the project.

Structure Model: 

In some organizations, the stakeholders in IG are islands unto themselves.  This may be a function of history (such as acquisitions where no unity has ever existed.)  It may also be a leadership choice or a sign of departmental self-sufficiency.  In any case, the entities that need to work together for IG may have no historical contact, context, or lines of communication.  There may be no extant motivation for cooperation.  In cases like these, a governance structure is an effective model.

Here, an effective structure starts with an executive champion.  This must be someone of influence who is able to offer “carrots” to the constituents and, also, wield a “big stick” -- rewards and penalties.  An accountable power must compel reluctant departments to participate in IG, and that usually requires incentives and consequences.

The executive champion communicates the requirements of IG to the leader of each stakeholder group.  These leaders form a high-level steering committee to find policies and strategies that will allow the groups they represent to work together for the benefit of the entire organization.  Each stakeholder leader appoints functional leaders to meet as a group tasked with identifying needs, finding synergies, and implementing a program.

Policy Model:

In some organizations, there are no functional obstacles to stakeholder cooperation.  However, there is little similarity in their policies, or, the policies themselves restrict sharing and interoperability.  In situations like these, IG emerges when the constituents hammer out policies that apply to and work for all groups. 

For example, stakeholders may have vastly different policies on back-up information.  Legal may keep everything, forever.  Records may diligently practice quick disposal of backup information.  IT may practice Hierarchical Storage Management for backup media.  In all likelihood, there is a single policy appropriate for the enterprise that meets the operational, legal, regulatory, and other needs.  Adoption of that policy removes a major barrier to synergistic cooperation.

Technology Model:

In organizations were structure, policy, effective processes, and the will to change are all in place – admittedly, a rare occurrence – the greatest gains come from improved technology.  Hardware and software developers offer profound, and sometimes ingenious, tools for automating the tasks of information management.  IG leaders bear the responsibility of meticulously defining the inefficient situations that beg for automation.  Definition in hand, they procure tools that will improve processes, reduce duplication, and enable synergies, cost-effectively.

This procurement requires expertise and understanding, but when a solution is optimally matched to a problematic situation, superb consequences emerge.  Part of Information Governance is the ability to understand the technological limitations that hinder each IG stakeholder.  Addressing, balancing and synthesizing those needs reveal the qualities of a technology solution that will serve all. 

A side benefit is that implementing an enterprise solution for shared needs is generally more cost-effective than using a variety of departmental solutions.

Process Model:

Where a workable, hierarchical organizational structure is in place, the proper automation tools are assembled, the policies are harmonized, and the will to change is strong, the best way to effect IG is by optimizing processes so, as much as possible, they all work together.  The goal is synchronicity that reduces delays, translations, and duplication. 

It takes an IG structure and policy to make interoperability and coordination a long-term goal of an organization.  An IG program does not create instant information exchange between disparate departmental systems.  However, as departments evolve, guided by a unified enterprise policy that accentuates Information Governance, improvements incrementally emerge.

Change Management Model:

The balance between the art and science of Information Governance tilts most heavily toward perception when addressing the behaviors that effect IG efforts.  Acceptance and resistance to change vary widely among enterprises and between department groups.  For example, some groups embrace new technology because it eases their burden and improves production.  Others feel that the effort to change outweighs the potential benefit.  This is not unfounded, as technology solutions have a history of promising more than they can deliver, while requiring exceptional effort from the end users. 

Similarly, resistance to change may be built on the observation that automation brings job loss.  Those perceiving threat may make gathering the statistics necessary for IG difficult. 

Politics plays a major role as well, as in all human endeavors.  Bureaucrats who have established a hegemony, with themselves at the top, may perceive a threat in sharing, cooperating, and seeking synergies. 

In calcified or resistant entities, change management may be the best lead tactic to charting an Information Governance program.  The form the change management takes is unique to each organization, but promoting the will to change and improve throughout each stakeholder/constituent is essential.

Getting Started

Ideally, Information Governance is an enterprise-wide program; that’s where the best benefits emerge.  Some businesses will appoint a Chief Information Governance Officer to implement IG throughout.

However, benefits accrue wherever two or more groups find synergies together.  Even a single department with contrasting internal groups can use the IG principles for major gains.  In fact, such examples can inspire larger organizations to seek the gains of IG.  When enterprise-wide IG is not achievable, a subset of stakeholders can nonetheless benefit. 

For example, at a major, international pharmaceutical manufacturer, the Legal, IT, and Records departments worked to establish a common approach to backing up information.  This resulted in the defensible disposition of decades of legacy backup tapes.  It also established a new policy that backup was for disaster recovery only: every time a new backup tape was recorded, there was no need to keep the previous one.  All the vital information was current, preserved, and available.

That policy would not work for all organizations, but in this example, it significantly reduced risk and cut many dollars from the storage budget.  It also set the basis for cooperation and the means of communication to find other synergistic efficiencies.  The leaders of the three groups had laid the foundation for a larger IG program.

Gleanings from LegalTech NY

It’s easy to get lost in the LegalTech glitz.  There are sumptuous breakfasts, hosted Happy Hours, and late night parties.  On the show floor, there is flashy signage, free cappuccinos, beauteous bootblacks, and ingenious swag.* The conference sessions, despite a penchant for hyperbole, are where the rubber meets the road (to coin a phrase).

At the very end of LegalTech New York, on Feb. 6, ARMA International delivered a three session track on Information Governance (IG).  Nuix sponsored it.  The presenters/panelists ranged from consultants to practitioners to government experts.  Their comments ranged from pithy to profound.  Here, I report to you not what was expressly stated by the speakers, but what I gleaned and interpreted, and what I think you, gentle readers, will want to know. 

1.    IG came to prominence during the Great Recession of 2008.  In a down economy, corporate leaders recognized they could not afford the redundancies, inefficiencies, data loss, risks, and sloppy management that IG addresses.  For some organizations, cutting bloated budgets (perhaps for the storage of advocates of “Keep Everything Forever”) was a survival tactic.  For others, IG offered a competitive advantage, lower risk, and better compliance with ever-more stringent regulations.  CEOs lowered their tolerance of departmental fiefdoms and silos of information.

 

       The bosses asked probing questions like, “Do Legal and Records each need their own IT staff, or could corporate IT staff meet their needs, improve operations, and save money?”  IG validated their suspicions and offered improvements.

 

       With the economy improving, the fuel driving IG could run out.  I’m betting not.  The cat is out of the bag.  The ROI is so compelling that organizations seeking excellence will seek IG.

 
2.       The two hottest issues in IG (and beyond) are Big Data and Security, both for money reasons.  As panelist Alison North stated, corporations are trying to monetize every last bit of data for profit, competitive advantage, and cost-justification of their huge IT investment.  Similarly, the cost of security breaches is so high – and goes beyond money – that many businesses and governments are pouring resources into prevention of data theft, denials of service, etc. 
 
Of course records management through IG plays a major role here.  Applying a retention schedule and legal holds to Big Data is the antidote to mega-storage and legal risk.  Most Big Data has a short shelf life, and defensible disposal is a key component.  So here’s one for RIM.
 
The numbers tell the story for Security as well.  Experts such as panelist Andre McGregor, FBI Special Agent for Cyber-security in New York, agree that there is no sure defense against system intrusions by “bad guys”.  However, the value of the target can be minimized through appropriate records retention and disposal.  A smaller target may have lesser value, should a security breach occur.  But IG has other contributions to make, including enlightened policies.  

F    For example, why do my dental and vision insurance work off my social security number?  If they used their own identification numbers and were hacked, well, the intruders are welcome to get their teeth cleaned on my dime.  But if they are hacked and get my SSN, there is a lot more at stake.

 
3.       Interestingly, there was consensus that the weakest link in cyber-security is human behavior.  Two strategies combat that.  One, of course, is education/change management.  Changing behavior is difficult and imperfect, but helpful.  The second is automation, that is, taking the human factor out of the equation.  Even the best-trained staff members make mistakes, and automation should help lower the errors.  However, automation has been known to be vulnerable as well, so pick your poison.  There is no sure antidote to cyber-security toxins.  One way to mitigate the exposure and possible damage is through an effective IG program that reduces risk and softens the blow, whenever it comes.

Information Governance appears to be on the rise, even when it is not called IG. [See the PositivelyRIM post of 11 Feb.] The need is there.  Theorists, practitioners, and organizations like the Information Governance Initiative are increasingly active, promoting the benefits.

The rapt attention paid by the capacity crowd at the IG track suggest a market that is hungry for Information Governance’s advantages.  The substance enjoyed by those at the sessions outweighed the otherwise ubiquitous LegalTech glitz.

*The no-prize for the cleverest swag goes to Recommind for their complete game of “Cards Against Lawyering”.

The Curious State of Information Governance at LegalTech: Contradictions Abound

At the New York City LegalTech Feb. 3-6, Information Governance (IG) could be seen as an incidental tag line or a rising star.

I say “incidental tag line” because many exhibitors added IG to their signage in a list of bulleted items.  It was as if they wanted to be sure not to exclude someone because they didn't have a requisite buzz word. ..kind of like Burger King adding a vegetarian patty to their menu so a single herbivore in a group would not 86 the idea of going to Whopperland.

When questioned, many booth personnel had no idea how to define IG.  Some equated it with data management, others called it eDiscovery/predictive coding, still others said it was defensible disposition, and a final group said The Dead Man in Yossarian’s Tent could answer my question, if I would just return later.  This was disappointing and dismaying, but it speaks to the noted (if misunderstood) significance of IG.  (To be fair, a couple vendors were on board with real IG, but they stood out as exceptions that prove the rule.)

Other evidence points to IG as a rising star.  The Information Governance Initiative celebrated its first anniversary with a well-attended pre-con “Boot Camp”.  Notable in attendance was the first known Chief Information Governance (and Privacy) Officer, JoAnn Stonier of MasterCard.  At ARMA International, last October, Drinker Biddle’s Jason Baron had predicted such a sighting in 2015.  It took just over a month to make him prophet in his own time.

Specific reasons that corporations should establish a “C” level IG positions were voiced at LegalTech:

·         IG is part of corporate governance, so it should be a vocal part of “C” suite meetings (Alison North)

·         CIOs don’t own information; they own infrastructure (Barclay Blair)
·         Creating a CIGO develops corporate clout for a discipline that, in some organizations, has been devalued
·         Politics do matter, and a CIGO will develop alliances with peer Chiefs, combating or befriending antagonists to develop IG and effect measurable change

ARMA sponsored a conference track on IG that filled every seat, certainly more than 100. A show of hands revealed a healthy balance of attendees from sometimes siloed industries: Legal, Records, IT, Compliance, Security, and others.  The Information Governance Initiative had just released the print version of its survey study on “IG in 2020”, and Executive Director Blair opined that CIGOs would be common in six or seven years.

Blair also shared springtime plans for an eight-chapter manual on how to be a CIGO, with chapters on goals, responsibilities, navigating corporate governance, qualifications to be a CIGO, and more. 

Panel moderator Julie Colgan, of ARMA and Nuix, posed the question, “Is Information Governance a buzz word?”  That is, is it a fad, a flash in the pan, or an ephemeral phenomenon?  The question is valid in the wake of a regatta of technologies that caught wind and sailed one moment before drifting in irons the next.

Panelists North and others had the right answer:  It doesn’t matter whether the term “Information Governance” achieves longevity or not.  The term may morph or fade but the work that the term describes and addresses will not go away.  Lauren Barnes of Credit Suisse posited, “It is a writing term, a branding.”

You can call a screw a “threaded fastener”, but it is still needed to hold things together.  Whatever you call IG, organizations will still need to harvest synergies and eliminate redundancies between their information’s stakeholders.  Also, they will still need enhanced cooperation between, say,  IT and RIM, or Legal and Security.  And they will still need the competitive advantage of higher efficiencies and lower risks.

Information Governance is a good term…until a better term comes along.  Now if only the exhibitors at LegalTech that display the phrase could define it.