SARS-CoV-2 or 2019-ncov coronavirusEisenhower famously quipped “plans are worthless, but planning is everything.”  His point was that though a plan may not anticipate every contingency, the rigors of the planning process are essential for preparedness.  That’s true for everything from WWII to pandemic response and to managing information risks and opportunities.

So, did the United States have a plan for pandemic response, and what were its key elements?

Yes indeed, the Bush administration developed plans and recommendations for U.S. infectious disease response, and these were built upon by the Obama administration.  Key elements included the following:

Structure:  The United States put in place early warning systems for outbreak prediction, modeling, and surveillance in global areas conducive to emerging threats.  Artificial intelligence systems began monitoring developments across the globe to identify possible outbreaks, and forecasting and modeling techniques were enhanced.  The CDC placed American health and science professionals on site in foreign locations likely to see the emergence of new pathogens, such as in China.  And for new global zoonotic threats (viruses that originate in animals and cross to humans), USAID began the Emerging Pandemic Threats program in 2009, comprised of four projects –  PREDICT, PREVENT, IDENTIFY, and RESPOND – operating in 20 foreign countries (including China) where such viruses commonly emerge.

Also, in the wake of the 2014 Ebola outbreak, the National Security Council’s Directorate for Global Health Security and Biodefense was established to centrally coordinate the work of various government agencies in pandemic detection and response.  Its mission was “to do everything possible within the vast powers and resources of the U.S. government to prepare for the next disease outbreak and prevent it from becoming an epidemic or pandemic.”

Direction:  Back in 2005 the Bush administration developed the National Strategy for Pandemic Influenza.  More recently, in 2016 the White House’s NSC compiled the Playbook for Early Response to High-Consequence Emerging Infectious Disease Threats and Biological Incidents.  The 69-page 2016 Playbook was a detailed decision-making tool directing key questions to ask, agencies to consult for answers, and decisions to be made in managing response to outbreaks emerging either outside or within our country.  As the Playbook noted, “[w]hile each emerging infectious disease threat will present itself in a unique way, a consistent, capabilities-based approach to addressing these threats will allow for faster decisions with more targeted expert subject matter input from Federal departments and agencies.”

Resources:  The United States invested heavily in cross-agency, institutional, and international relationships to enable the surveillance, detection, and response elements described above.  The Strategic National Stockpile, originally established in 1999, became a central repository for medical supplies and equipment crucial for outbreak response.  As its website stated back in 2018, the “National Stockpile is the nation’s largest supply of potentially life-saving pharmaceuticals and medical supplies for use in a public health emergency severe enough to cause local supplies to run out.”  And the backstop for sourcing supplies and equipment remained the Defense Production Act, enacted in 1950, and the vehicle through which the federal government can expedite and expand production of crucial supplies by private industry to support military, energy, space, and homeland security program needs.

The Lesson for Information Governance?

Just as the U.S. needed planning for pandemic response preparedness, organizations need to plan for governing their information risks and opportunities, putting in place the structure, direction, and resources appropriate for the task:

Structure:  Companies need organizational structures that identify their different types of information and the applicable rules for managing such information.  Examples are an enterprise records retention schedule for applying retention and disposal rules; a legal hold system for applying preservation rules in litigation; an information classification policy for applying security and privacy rules; and a contracting and service provider system for applying information requirements to third parties.  Companies also need a clear, up-to-date understanding of the data systems and storage devices within or through which such rules are actually applied to the company’s information.

Direction:  Companies need clear and effective policies and procedures directing employees (and others with access to the company’s information) on how to compliantly retain, use, safeguard, and dispose of information; contracts directing third parties on the company’s expectations and requirements for information; and legal hold communications directing recipients on compliant preservation actions for information relevant to litigation.  Companies also need up-to-date protocols for contingencies, including disaster recovery/business continuity plans and security incident/breach response plans.

Resources:  Information systems are of course expensive.  But to achieve information governance objectives, companies must also commit resources to ensure that there are effective rules for these tools.  It takes attention, expertise, and continuing engagement to accomplish that, and so investments in personnel and providers with information governance experience are crucial.

Our second pandemic response lesson for Information Governance is that it takes time to assess risks, develop a plan, and put in place the structure, direction, and resources to manage those risks.  Like procrastinating until a virus becomes a pandemic, waiting until there’s a data breach, or a large-litigation preservation duty, or a business continuity or enterprise data system failure, is at best hugely and unnecessarily expensive, and at worst it can be disastrous.  The time for planning is now.