Green cup of coffeeEarth Day reminds me of grabbing a coffee before a client meeting in San Francisco a couple years ago.  As I walked into a local Blue Bottle Coffee, I entered an environmental tableau.  The diverse crowd of customers was uniform in its vibe (young professional/Tech), clothing (black or grey organic fiber), and appetite for a curated/organic/Fair Trade coffee experience – and happy to pay a premium for it.  A phalanx of recycling containers awaited every conceivable waste stream.  Nary a plastic straw was in sight.  It felt as if I was in a temple of sustainable sensibilities, with a business model and patronage profoundly committed to Green principles.

But what struck me instead were the billowing clouds of data exhaust streaming from laptops, tablets, and phones, themselves toxic waste sites for massive amounts of uncontrolled data.

The contrast between our environmental practices and how we treat our data is gobsmacking.  Though we never uniformly agree on anything, it’s indisputable that Green principles are now squarely in the mainstream.  We believe in reducing/reusing/recycling; we expect clean air and water;  we care about the healthfulness of the food we ingest; and we worry about climate change.  We talk about these values; we support varying degrees of government regulation for these aims; and, most importantly, we tend to align our money with our motivations, causing an increasing number of companies to adopt environmentally sustainable practices.

But what about our data?  We freely generate massive amounts of data, in rapidly increasing volumes.  We allow our data to accumulate in vast troves, locally and in the cloud, without a thought to the repercussions.  We fail to take the often simple steps to secure the data we possess, or to be aware of the security practices of those with whom we entrust our data.  How we actually treat our data belies any professed interest in the privacy of our information.  We happily ingest information from virtually any source, without regard for its toxicity.  We do not demand effective government regulation of the powerful companies that handle our data.  And, most importantly, we do not use our market behavior to compel companies to treat our data responsibly.

Why is this so?  How is it that our 21st Century data practices mirror the environmental-obliviousness of the 1960’s?  How did Green environmental sensibilities successfully take root and flourish, and what does that tell us about how we now could make better data practices a reality?  And what would it look like to be Data Green?

Stay tuned.

 

Majestic giant redwood treesThey say that the right time to plant a tree is yesterday.  In a world of data dangers and opportunities, the time to elevate how your business governs its information is now.  That’s easy to say, but with all of the conflicting priorities facing companies today, for many it’s hard to get started, or to push ahead.  Sometimes it helps to revisit why an effort is worthwhile.

So, here are a dozen reasons why your organization should redouble efforts to govern its information, in 2019 and beyond: 

12. Unnecessary business data causes unnecessary litigation costs.

“If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”  Former District Court Magistrate Judge John Facciola

11. Thousands of federal and state records retention laws apply to your company.

We know, because we track them.  Your regulators expect you to know them too.

10. It’s a when, not if, world for data breaches.

“You’re going to be hacked.  Have a plan.” Joseph Demarest, FBI Cyber Division

9. Unnecessary business data multiplies data security exposures.

Hacked company systems frequently contain two, three, or even four times more data than was needed for retention compliance or any valid business purpose.  It’s not possible for a breach to compromise the security of information that compliantly no longer exists.

8. How you govern data can build – or bust – your brand.

In our data-driven world, how well your organization manages information tells you, and tells the world, how well you manage your business.

7. Merely adding more storage or more tools won’t solve your data problems.

More storage is simply a reaction, not a strategy.  And adding technology tools, without the right rules, only makes things worse, not better.

6. It’s OK to destroy your data.  Really.

Disposal of data in good faith, pursuant to a compliantly established and legally validated data retention schedule, and absent an applicable litigation preservation duty, is both responsible and defensible.

5. Bad information results in bad decisions.

Actually … data is simply data.  Calling some data “bad” distracts us from the true issue, which is the quality of our business practices in creating, retaining, and using information to make decisions.

4. Your business data is in others’ custody … but you’re still responsible for it.

Your litigation preservation duties do not vanish for information hosted elsewhere but still in your control; your data security obligations do not evaporate when you house protected data with a service provider; your imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and your records retention and destruction rules do not disappear if your data is hosted remotely. You still need to govern information compliance and risk for your data in other’s custody.

3. “Your” data may belong to others … and you’re responsible to take care of it.

Companies commonly possess third-party data.  If your agreements don’t clarify permissible use, ownership of derivative information, retention/disposition, privacy, security, and litigation preservation and production obligations, you have risks and exposures without any rules to protect you.

2. Your information risks, and opportunities are all connected, arising from a single source – your data. Your response strategies should be synchronized too.

Privacy, data security, retention, litigation preservation, and defensible disposition aren’t separate issues. They all interrelate, springing from the data itself.  How you handle information compliance, cost, risk, and value should be integrated as well, in an information governance strategy.   

And that leaves the single most important reason of all:

1. Regardless of industry, you’re in the information business.

It doesn’t matter what products you sell or services you provide.  In today’s world, the success of your business – indeed, its viability – turns upon information.

Consider the attention and resources you apply to your other strategic assets, such as your finances, your facilities and equipment, and your people.  You make those investments because it would be foolish not to manage their value, costs, and risks.  Your information deserves no less.

So … it’s time to plant that tree.

Our firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions.

The Information Governance perspective is a ready-made, scalable resource. Any organization can make meaningful headway, right away, by simply adopting an inclusive IG perspective when addressing information matters, before investing in significant organizational changes and expensive technology tools.

What does this mean? Simply this – whenever any information-related issue is dealt with or decision will be made by your organization, be sure to ask the following: Continue Reading Why govern our information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  It all feels beyond embarrassing, and downright dangerous.

This is not just a bad dream – it’s the reality for companies possessing third-party data without clarity on what rules and responsibilities apply.

Most companies possess some data that they do not truly and solely own.  Perhaps your company signs a nondisclosure agreement and obtains others’ information while evaluating a business opportunity.  Or maybe your company is a service provider that receives or generates data on behalf of customers or clients.  Your company has possession of the data, but it remains responsible to the third-parties if there’s a problem.

What kinds of problems? Well, what if the third party’s data is lost, corrupted, misappropriated, hacked, or held for ransom?  What if the cost of maintaining the information, after the work concludes or need passes, becomes onerous?  What if the information becomes relevant in future litigation?  Who is authorized to make decisions about the information when the unexpected happens, and who is responsible for the expenses and exposures?

Information Governance – your organization’s strategic approach to managing information compliance, cost, and risk while maximizing information value – is tailor-made for this commonplace scenario.  Here’s how it works: Continue Reading Why govern our information? Reason #3: “Your” data may actually belong to others … and you’re responsible to take care of it.

Lightning Strike in ThunderstormIf you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes). How quaint.  We no longer keep most of our information – providers do that for us.  We store our data in the cloud, with cloud providers. We outsource business applications to SaaS providers, and even entire systems as PaaS.  And we increasingly use service providers to handle key aspects of our business that we used to operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge troves of business data on our behalf.

But we’re still accountable for our information in others’ hands:

  • Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.       
  • Data security – we’re generally responsible for data breaches suffered by our service providers.  Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators.  Regardless, in the wake of a service provider data breach, we’re in the hot seat.
  • Business Continuity – if we need to promptly restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
  • Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies.  At worst?  See Litigation, Data Security, and Business Continuity above.

Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our business data in other’s custody.

And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example: Continue Reading Why govern our information? Reason #4: Your business data is in others’ custody … but you’re still responsible for it.

“GarGarbage Dumpbage in, garbage out” – we know that already, right?  Well … what we know about information quality and what we do are not always in sync. Just for kicks, consider information quality through the lens of the industrial quality movement.

Looking down from 30,000 feet, the history of industrial quality goes something like this – Medieval Guild craftsmanship, then Industrial Revolution product inspection, and then the post-World War II focus on quality process management.  It sounds arcane, until one remembers the 1980’s visceral fear that Japanese manufacturers were beating the pants off of U.S. manufacturing in terms of quality and value. Enter W. Edward Deming, who had been deeply influential in Japan’s post-war industrial recovery, and who became the evangelist for quality management practices in U.S. industry.  Deming exhorted American management to adopt product and service quality as the driving force in all business practices.

What’s that got to do with Information Governance?  It’s this – regardless of industry, in today’s world you’re actually in the information business.  So, business quality increasingly means information quality.  

Key attributes of data for business are sometimes referred to as the four Vs: volume, variety, velocity, and veracity.  Most folks focus on the first three, but the veracity of data – its integrity, its reliability, its quality – is crucial for business decision-making.   In a 2016 survey of executives by the Chartered Institute of Management Accountants, 80% of respondents admitted that their organization used flawed information to make a strategic decision at least once in the last three years. And IBM estimates that poor data quality costs the U.S. economy $3.1 trillion each year. Continue Reading Why govern our information? Reason #5: Bad information results in bad decisions.

Destroyed CDs - shredded by a shredder.It lingers on – that vaguely guilty feeling that there’s something sanctionable, even illegal, about routinely destroying business data.  That’s nonsense.  It is well-settled United States law that a company may indeed dispose of business data, if done in good faith, pursuant to a properly established, legally valid data retention schedule, and in the absence of an applicable litigation preservation duty.

Even the courts themselves dispose of their data.  Federal courts are required by U.S. law to follow a retention schedule approved by NARA, and to ultimately destroy records or transfer them to the Federal Records Center, as directed by that retention schedule.

Here are but a few of the many case decisions on this point: Continue Reading Why govern our information? Reason #6: It’s OK to destroy business data. Really.

Endless book tunnel in Prague libraryAs the information tide relentlessly rises, many organizations simply see an IT problem, to be fixed with a purely IT solution – more storage capacity, more tools, or both.  But merely adding more storage is a reaction, not a strategy.  And adding technology tools without the right governance rules invariably makes things worse, not better.

This is not a criticism of your IT team.  Instead, the problem lies in a misunderstanding of the fundamental challenge.  Just as you shouldn’t bring a knife to a gun fight, you shouldn’t merely bring more storage capacity and IT tools-without-rules to your fight to regain control over your organization’s information.  What’s needed is governance.

More Storage is Not the Answer

If the accelerating, worldwide growth of data were a throw-back movie, it would star Vin Diesel – Fast & Furious.  It’s hard to wrap one’s head around the magnitude and velocity.  Try this – for context, the total content of all catalogued books in the Library of Congress has been estimated variously at 10 to 15 terabytes of data.  IDC’s Data Age 2025 study pegged the world’s 2018 data volume at 33 zetabytes (33 billion terabytes), and forecasted that data volume will reach 175 zetabytes by 2025, a more than quadruple increase.  In case your head hasn’t exploded … apparently 1,000 zetabytes is a yottabyte, and as of yet there is no officially recognized International System of Units name for 1,000 of those (I propose “Lottabyte”).

Why the dizzying growth?  Internet use is certainly a contributor (a lot can happen there each minute).  But it is the Internet of Things, combined with the Industrial Internet, that will increasingly generate gobsmacking quantities of device and machine data.

Let’s hone in on the reality faced by individual organizations. Unstructured data (documents, spreadsheets, presentations, audio and video files, email, and the like) can comprise 80% to 90% of total enterprise data.  Unstructured data is often largely uncontrolled, scattered across network drives, user’s computers, and the organization’s electronic content management (ECM), collaboration, and e-communication systems.

Veritas’ Data Genomics Project produced an interesting 2016 study that analyzed tens of billions of unstructured data files, with over 8000 file extensions, at Fortune 500 companies.  Key finding?  Storage capacity grows each year, but so does data volume – 39% annual growth in the number of unstructured data files, year over year.  Just as a bigger closet or garage at home results in the accumulation of more stuff, when businesses add larger on-premise or cloud repositories without governance controls, it inevitably leads to larger data volumes.  More storage simply enables more data hoarding.

Tools Without Rules are No Help Either

Continue Reading Why govern our information? Reason #7: Merely adding more storage and more tools won’t solve your data problems

A metal cattle brand with the word brand as the marking areaThe “business case” for information governance often focuses solely on quantifying specific costs for data management and exposures for data security and ediscovery.  Number crunching is of course important, but it misses something bigger, more strategic, and ultimately more crucial to the organization – its brand.  Companies, regardless of industry, are fundamentally in the information business.  It follows that how an organization manages its information assets reveals how the organization manages itself.  And that matters, a lot, because companies that align themselves with their brand, achieving brand discipline, are more successful.

In their seminal 1993 Harvard Business Review article, Customer Intimacy and Other Value Disciplines, Michael Treacy and Fred Wiersema made the case for how highly successful companies (1) understand and redefine value for their customers, (2) build “powerful, cohesive business systems” to deliver more of that value than their competitors, and (3) raise their customers’ expectations beyond what the competition can deliver.  The most successful companies do this work within at least one of three disciplines: operational excellence, product leadership, or customer intimacy.

Treacy and Wiersema based their insights on an intensive study of 40 companies that achieved breakout success in their markets.  They followed the article with their quintessential business strategy book The Discipline of Market Leaders.  Twenty years later, this book is likely still on your CEO’s bookshelf.

What’s the point for information governance?  It’s this – a successful company brand cannot be lipstick on a pig.  It must be organic, a discipline that pervades the organization from the bottom to the top, inward and outward, in its core processes, business structure, management systems, and culture.  And how your organization manages information value, cost, compliance, and risk is no exception.  Simply put, stronger information governance yields a stronger brand for your business.  And this is true for each of the three disciplines of highly successful companies: Continue Reading Why govern our information? Reason #8: It can build – or bust – your brand

One Bullet in Gun BarrelHaving too much data causes problems beyond needless storage costs, workplace inefficiencies, and uncontrolled litigation expenses.  Keeping data without a legal or business reason also exacerbates data security exposures.  To put it bluntly, businesses that tolerate troves of unnecessary data are playing cybersecurity roulette … with even larger caliber ammunition.

Surprisingly few U.S. data security laws and standards expressly require that protected data be compliantly disposed of once legal and business-driven retention periods expire.   PCI DSS v3.2.1, Requirement 3.1, provides “[k]eep cardholder data storage to a minimum by implementing data retention and disposal policies ….”  HIPAA regulations  mandate that business associate agreements require service providers, upon contract termination, to return or destroy all PHI received or created on the covered entity’s behalf, if feasible.  Alabama and Colorado require that records containing state-level PII be disposed of when such records are no longer needed.  And biometric data privacy laws in Illinois, Texas, and Washington generally require that biometric data be disposed of once it has served its authorized purpose.

Instead, most such laws and standards focus on securely sanitizing or destroying storage media.  For example, the NIST Cybersecurity Framework v. 1.1 includes as a security control (PR.IP-6) that “[d]ata is destroyed according to policy,” and ISO 27002 (§ 8.3.2) provides that “[m]edia should be disposed of securely when no longer required, using formal procedures.”

But data security is not achieved by simply running through a checklist of explicit compliance requirements – it instead requires assessing risks and establishing effective security controls.  And one of the most powerful security controls is to not keep too much data, for too long. Continue Reading Why govern our information? Reason #9: Unnecessary business data multiplies data security exposures