KindergartenSometimes we make things way too complicated – especially our relationship with business data. Allow me to “kidnap” Robert Fulghum’s classic poem – wisdom in effectively governing information compliance, cost, risk, and value is not found exclusively at the top of the data science mountain, but there in the sandpile at kindergarten.  Here are the things we learned there:


Share everything.

OK, not literally, as in rampant social media TMI. Instead, unlock the value of your business information by making it easier to efficiently, securely, and collaboratively access your organization’s data across internal company silos.

Play fair.

Industry regulators, and the Federal Trade Commission under FTC Act Section 5, are vigilant about information privacy. In your internal company policies and external privacy notices, be clear about what personal information will be collected and how it will be used.  Craft these policies so that they are practicable, and then follow them.  And the issue is no longer simply the organization’s own practices – make sure you have a handle on the privacy practices of your upstream and downstream information business partners.

Don’t hit people.

Employees can wreak havoc with your organization’s brand through intemperate postings. Make sure that company policies address social media and internet use, in a way that passes muster with the NLRB.

Put things back where you find them.

Everything works better when data is put where it should properly be stored. The right data can be found quickly and cost-efficiently in both day-to-day operations and legal hold preservation; data reliability can be trusted; data is more likely protected by the appropriate access and security controls; unnecessary duplication can be avoided, decreasing overall data volume; and data is more likely to be timely, compliantly, and securely disposed of under company policy.

Clean up your own mess.

Legacy accumulations of unnecessary paper and electronic data are a liability, not an asset. And the dubious notion that uncontrolled, uncurated data troves will magically become valuable through big data analytics is no excuse for lax data practices.  Old paper and data accumulations should be compliantly processed so that legacy data is retained or preserved if required, but obsolete data is disposed.

Don’t take things that aren’t yours.

Data breaches are not the exclusive province of hackers. Verizon’s 2016 Data Breach Investigations Report confirms that privilege misuse continues to be a significant problem, responsible for 16% of the more than the sixty-four thousand security incidents analyzed in the DBIR.  Employees are the usual culprits, but collusion with outsiders is also significant.  And while financial motives still predominate, espionage is on the rise.  Organizations should be vigilant in protecting their information assets from employee theft, and not simply when employment ends.

Say you’re sorry when you hurt somebody.

In a when not if world of data breaches, odds are that your organization will suffer a security incident affecting protected information of employees or customers. The Ponemon Institute’s 2014 study, The Aftermath of a Data Breach: Consumer Sentiment, found that the single most important breach response was a “sincere and personal apology,” which had more impact than free credit monitoring and identity theft protection, or access to a call center, or product or services discounts.  We’re not perfect, but we can indeed look folks in the eye and apologize when warranted.

Wash your hands before you eat.

Sanitary handling of data is essential for security, and keeping current on security patches and other security controls is crucial to that end. Verizon’s 2016 DBIR contains a sobering reminder of the importance of timely managing system vulnerabilities – ninety percent of system exploitations during 2015 involved vulnerabilities first published one or more years previously, and more than half of the 2015 system exploits were of vulnerabilities that have been known publicly for five or more years.  And user awareness about phishing tactics, strong passwords, and credentials protection is also a security imperative.  Forty percent of the breaches in the Verizon 2016 DBIR featured phishing attacks, and sixty-three percent involved the leveraging of weak, default, or stolen passwords.


Organizations continue to keep way too much data, without any legal compliance or business need. Unnecessary data retention slows productivity, exacerbates data security exposures, and multiplies litigation discovery processing and review costs. Less than half of organizations systematically and routinely dispose of outdated or unneeded information, according to the most recent biennial Information Governance Benchmarking Survey of Cohasset Associates, ARMA, and AIIM.  And the survey’s respondents identified the number one impediment to RIM program effectiveness – the difficulty in changing a “keep-everything” culture.  Yes, retention requirements and legal hold imperatives must of course be met, but once data is no longer required, it should be compliantly disposed.

Warm cookies and cold milk are good for you.

Just keep them out of your keyboard.  And most of all …

Be aware of wonder.

Business data does not simply bring cost, risk, and exposure. Information also offers extraordinary value to the organization. Some of that value is realized in well-understood ways, such as managing data to increase efficiency, speed decision-making, sharpen strategy, and measure results.  Yet information can also be mined, analyzed, leveraged, and monetized innovatively, even in ways that no one has yet attempted.  So yes, compliance and risk control are important, but that’s not the whole information governance story – be open to the “wonder” of how your organization can tap into the true value of its information.