Twenty percent solutionOK, IT mavens, listen up…how much better would your life be if you only had to manage and protect 20% of your company’s data? By eliminating 80% of your data you could free up oodles of storage, reduce licensing costs, shorten backup cycles, and drastically cut e-discovery preservation costs, not to mention go home on time for a change.  For most this is an unrealistic pipe dream, but it doesn’t need to be.  The trick is knowing which 20% to manage.

Continue Reading The 20% solution for information management and security

Destroyed CDs - shredded by a shredder.It lingers on – that vaguely guilty feeling that there’s something sanctionable, even illegal, about routinely destroying business data.  That’s nonsense.  It is well-settled United States law that a company may indeed dispose of business data, if done in good faith, pursuant to a properly established, legally valid data retention schedule, and in the absence of an applicable litigation preservation duty.

Even the courts themselves dispose of their data.  Federal courts are required by U.S. law to follow a retention schedule approved by NARA, and to ultimately destroy records or transfer them to the Federal Records Center, as directed by that retention schedule.

Here are but a few of the many case decisions on this point:

Continue Reading Why govern your information? Reason #6: It’s OK to destroy your data.

Breach VennI wish I had a bitcoin for every time I get an email with the subject line “Data Breach,” yet the facts upon investigation reveal no notifiable breach occurred.

In the Venn diagram of cyber security, the big rectangle is security incidents, enveloping a smaller circle of incidents that are breaches under state PI breach notification statutes.  And a yet smaller circle are the breaches for which these statutes require notification of affected individuals.

So, what are common scenarios in which a security incident does not trigger notification duties under state PI breach notification statutes?

Continue Reading When is a “data breach” not a breach?

Monster Ant“What if ants were as big as dinosaurs?”  I remember asking my kids that question, forever ago when they were young.  Maybe the thought came from reruns of old monster movies, like the 1954 classic Them! (pictured here).  Anyway, it was a cool game, for as the ant’s size multiplies, the laws of math, physics, and biology play their part:

  • The ant’s exoskeleton wouldn’t be strong enough to support the increased weight, so an internal skeleton is needed.
  • Gravity would play havoc with the ant’s open circulatory system, so a closed system is crucial.
  • The ant’s energy needs would soar, and so a different diet and digestive system are required.
  • The ant’s newfound size would totally alter its place in the food chain (The Lion King, “Circle of Life,” right?), driving fundamental changes in behaviors and capabilities.
  • And on, and on.

Until, we finally end up with an ant the size of a dinosaur … that looks a lot like a dinosaur.

But what’s this have to do with Information Governance?

Continue Reading Ants, Dinosaurs, and Information Governance

Baby playing with phoneThere’s been a lot of news lately about “secret” messaging in government, including inside the White House and the EPA, and last week’s revelation that Vice President Pence conducted state business with a private email account while Governor of Indiana. So there’s lots of angst right now about under-the-radar communications.  When you think about it, though, it’s really old news tied to new technology.  The only difference is the growing sophistication of the tools in the last few decades.  Old School: clandestine meetings in parking garages.  New School: disappearing messages.

What is really at issue here is not the technology, but rather the implied intent of circumventing rules (if they exist), and whether or not the communications are records. By any measure, if the communication is a record as defined by public or private rules, it must be retained.  Herein lies the problem.

Continue Reading We’re still babes in the wood when it comes to electronic messaging

Vice President Mike PenceSorry to revive ugly memories of last fall’s vituperative presidential campaign, in which bile was spewed over candidate Clinton’s use of a private email server while Secretary of State, and its vulnerability to hacking.  Clinton eventually conceded that her use of a personal email server was a “mistake.”  Which it was, on so many levels.

Now, news reports indicate that Vice President Mike Pence, while Governor of Indiana, used a private email account (AOL, no less) to conduct state business.  And that some of the messages apparently contained sensitive law enforcement and Homeland Security information.  And that, unlike Clinton’s private server, Governor Pence’s personal email account was actually hackedAnd that the hack occurred (wait for it) last summer – in the midst of all of the self-righteous indignation over Clinton’s email practices.  Thankfully, Governor Pence and his wife were NOT stranded in the Philippines, and we did NOT need to wire them emergency funds.

These revelations will no doubt spur cries of bald-faced hypocrisy, and equally heated arguments that Pence’s situation is different than Clinton’s (AOL v. private server, Governor v. Secretary of State, sensitive Homeland Security information v. classified information, and so forth).

But here’s a thought – instead of yet another round of beating ourselves over the head with partisan cudgels, what if we tried something different this time?

Continue Reading So, Governor Pence used his hacked AOL account for state business – can we please now depoliticize data security?

Bean of Chicago Millennium Park, Illinois, USAIt happens every day.  A company spends a huge amount of money on a new technology system, without fully addressing the information implications.  Maybe the decision (to move on-premise operations to a cloud SaaS or PaaS, or to retire and replace an enterprise database, or buy a comprehensive new tool suite) was reactive, driven by an impending crisis.  Maybe the decision-making was siloed, with IT not clearly hearing what the rest of the business truly needs (or more likely, the rest of the business not speaking up).  Or maybe IT just responded literally to a business directive of the moment (let’s get into IoT, or Big Data, or Blockchain!).  Regardless, the green light is lit, the dollars are spent … and problems ensue, painfully multiplying the procurement’s all-in cost.

What was missing? Strategic consideration of repercussions for information compliance, risk, and value for the organization as a whole, including privacy, data security, retention/destruction, litigation discovery, intellectual property, and so forth.  In other words, Information Governance.  And when was it missing?  Before the decision was made and the dollars were spent.

So, what if something could be hard-wired into the procurement process, a trigger that timely prompted decision-makers to call time-out; get focused input from all stakeholders; assess the repercussions for information compliance, risk, and value; and align the procurement requirements and purchase decisions with organizational strategy for governing information?

Continue Reading X Percent for Information Governance

Ship engine trottle, full speed aheadNews reports today indicate that Verizon is pushing ahead with its purchase of Yahoo’s core internet business, despite Yahoo’s massive data breaches.  Yahoo suffered a breach of 500 million user accounts in 2014, on the heels of a one billion account compromise in 2013 (names, telephone numbers, birth dates, passwords, and security questions), reputedly the largest data breach in history.

Speculation swirled for months about whether Verizon would simply walk away from the deal, originally set at $4.83 billion, or would proceed with a drastically reduced acquisition price.  And the result, as of today’s announcement?  Full speed ahead, after lowering the purchase price by $350 million.

Verizon will gain personal data on Yahoo’s over one billion users, which will no doubt boost its digital media and targeted advertising revenues, and the deal will help Verizon expand beyond the crowded market for wireless services.  So, the value of user information is not in doubt.  But what about the value of privacy?

$350 million is a lot of money.  And apparently Verizon and Yahoo will share certain costs related to governmental investigations and breach litigation, with Yahoo remaining on the line for SEC and shareholder litigation fallout.  But still, the results of simple division are stark – $350 million against up to 1.5 billion affected persons … yielding 23 cents. Continue Reading What’s our privacy worth? According to the Verizon/Yahoo deal, about 23 cents.

Endless book tunnel in Prague libraryAs the information tide relentlessly rises, many organizations simply see an IT problem, to be fixed with a purely IT solution – more storage capacity, more tools, or both.  But merely adding more storage is a reaction, not a strategy.  And adding technology tools without the right governance rules invariably makes things worse, not better.

This is not a criticism of your IT team.  Instead, the problem lies in a misunderstanding of the fundamental challenge.  Just as you shouldn’t bring a knife to a gun fight, you shouldn’t merely bring more storage capacity and IT tools-without-rules to your fight to regain control over your organization’s information.  What’s needed is governance.

Continue Reading Why govern your information? Reason #7: Merely adding more storage and more tools won’t solve your data problems

television addict man watching tv holding remote control mesmerizedOn Monday the Federal Trade Commission announced a $2.2 million settlement with VISIO, one of the world’s leading providers of smart TVs.  The deal settles charges by the FTC and New Jersey’s Attorney General that VISIO collected data from 11 million consumer TVs, without consumers’ knowledge or consent.  According to the complaint, the secretly collected data included second-by-second viewing data and IP addresses, to which data aggregators added demographic information, including age, sex, income, marital status, household size, education, home ownership, and household value – a covert data cornucopia, tailor-made for targeted advertising.

But in her concurring opinion, Acting Chair Maureen Ohlhausen (recently appointed by President Trump to lead the FTC) signaled a retreat from FTC enforcement based on unfair practices.

So, while we’re watching our TVs, and our TVs are “watching” us, who’s watching out for our privacy & security interests with the Internet of Things?

Continue Reading Me, my TV, IoT, and the FTC – who’s watching whom?