information governance

Zuzu's PetalsFacebook this week announced its new social media application targeted at children,  Messenger Kids.  Designed to be COPPA-compliant, the text, video chat and photo-sharing app combines parental controls with all of the quirky features that tweens and younger folks will simply love, thereby ensuring Facebook will enjoy a next generation of engaged customers … and also their data.

The new app drops smack into the ongoing cultural debate over the wisdom of young children being exposed to regular internet and social media use.  Detractors of the new Facebook app note concerns about data collection and use.  The Wait until 8th campaign advocates for no smart phone use until eighth grade.  Notably, both Bill Gates and Steve Jobs limited their children’s access to technology.  And studies regularly link social media use with increased rates of depression among youth.

The notion is that young people should be protected from unfettered exposure to social media and the Internet until they are old enough to use these tools with responsibility and moderation.  Fair point, but a flawed premise: when it comes to responsible and moderate use of technology, we adults still have a lot of work to do. Continue Reading Forget petals – Zuzu wants a smartphone for Christmas

Am I Drunk signWe’re addicted to information, but we can’t stand to think about it again once we’ve seen it, saved it, hoarded it.  Why?  We collect or create it in the moment, but have no thought or plan for its future.  Even when it was once and briefly useful, neglected information soon becomes the effluvium of our digital landfills.  And, like most landfills, the odor is disagreeable and no one wants to be near it.

Pinterest and the P:\ Drive

There is little doubt that social and cultural factors exacerbate and feed our addiction.  The immediate gratification of social media interactions, and the availability of “productivity” tools and data storage accelerate the accumulation of information.  “People hoard because they believe that an item [information] will be useful or valuable in the future. Or they feel it has sentimental value, is unique and irreplaceable . . . . They may also consider an item [information] a reminder that will jog their memory, thinking that without it they won’t remember an important person or event. Or because they can’t decide where something belongs, it’s better just to keep it.

How to Change

Addiction draws us into information overload, but our aversion to uncertainty keeps us from managing what we save or create.  Part of the challenge is that it’s just too hard to focus on something so big, yet so invisible.  We’ve all read the stats on how much information is created each year, but who understands how much 5 exabytes of information is anyway?   It’s beyond our tactile experience—like knowing how many gallons of water are in the ocean, or stars in the sky.

In thinking about change, Tali Sharot, associate professor of cognitive neuroscience at University College London, proposes, “Messages that tap into basic human desires — such as the need for agency, a craving for hope, a longing to feel part of a group — are more likely to have impact.”

In a previous post I talked about the consequences of allowing our private selves to bleed into our work selves.  The answer comes back to the summary of human desires, “what’s in it for me”?  So, using Dr. Sharot’s examples, I add here to the list of things we can do for ourselves, and ultimately for our organizations: Continue Reading Addiction and aversion … the yin and yang of information

clouds and lightningIf you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes).  How quaint.  We no longer keep most of our information – providers do that for us.  We store our data in the cloud, through cloud providers.  We outsource business applications to SaaS providers, and even entire systems as PaaS.  And we increasingly use service providers to handle key aspects of our business that we used operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge data troves on our behalf.

But we’re still accountable for our information in others’ hands:

  • Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.       
  • Data security – we’re generally responsible for data breaches suffered by our service providers.  Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators.  Regardless, in the wake of a service provider data breach, we’re in the hot seat.
  • Business Continuity – if we need to promply restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
  • Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies.  At worst?  See Litigation, Data Security, and Business Continuity above.

Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our data in other’s custody.

And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example: Continue Reading Why govern your information? Reason #4: Your information is in others’ custody … but you’re still responsible for it.

“GarGarbage Dumpbage in, garbage out” – we know that already, right?  Well … what we know about information quality and what we do are not always in sync. Just for kicks, consider information quality through the lens of the industrial quality movement.

Looking down from 30,000 feet, the history of industrial quality goes something like this – Medieval Guild craftsmanship, then Industrial Revolution product inspection, and then the post-World War II focus on quality process management.  It sounds arcane, until one remembers the 1980’s visceral fear that Japanese manufacturers were beating the pants off of U.S. manufacturing in terms of quality and value. Enter W. Edward Deming, who had been deeply influential in Japan’s post-war industrial recovery, and who became the evangelist for quality management practices in U.S. industry.  Deming exhorted American management to adopt product and service quality as the driving force in all business practices.

What’s that got to do with Information Governance?  It’s this – regardless of industry, in today’s world you’re actually in the information business.  So, business quality increasingly means information quality.   Continue Reading Why govern your information? Reason #5: Bad information results in bad decisions.

Business woman screaming at laptopMany years ago, before common sense kicked in, I thought it would be a good idea to rent a storage space for all the extra furniture and other stuff I could not fit in my new house.  Knowing it would only be temporary, I stashed everything from upholstered and leather furniture, to boxes of books.  Fast forward twelve months.  The rental agreement was expiring, and I realized that I would never need nor have room for all that I’d stored, so I decided to have a sale to dispose of it.  When I went to the storage space I was horrified to see that everything was covered in a thin film of mold.  (This was years before climate-controlled storage was widely available.)  I had no choice but to trash it all, which both cost me money and prevented me from converting my goods to profit.

I was reminded of this long-ago event when I heard about the latest ransomware attack.  We’ve been reminded countless times of the importance of backup, and ransomware is only the most recent reason.  If you have ever had a hard drive fail, you know the pain that comes with irretrievable data.

So what happens when your backup media fails.? Or your archival media?  Don’t CDs last forever? Continue Reading Backup failure in the age of ransomware

Dr. Lawrence WeedAmerican architect Louis Sullivan, who coined the iconic phrase “form ever follows function,” was flat wrong – at least when it comes to the relationship of what we do and how we capture it with data.  The reality is instead that the medium shapes the message, and that record-keeping alters the processes it records.  Need a current example?  One only has to consider how the President’s staccato bursts of tweets now drive public attention, media focus, and policy debates, both domestically and abroad.

But a more profound example is the life’s work of Dr. Lawrence Weed, who passed away last week at age 93.   Continue Reading With business processes and records, we have it backwards – function follows form

checklistIt’s a common complaint – most U.S. laws requiring data security never cough up the specifics of what must be done to comply. Unlike other areas of business regulation, data security requirements seem hopelessly vague:

  • Several states’ PII laws require businesses to implement and maintain “reasonable security procedures and practices” to protect PII from unauthorized access, destruction, use, modification, or disclosure.
  • Regulations under the Gramm-Leach-Bliley Act compel financial institutions to have a “reasonably designed”comprehensive information security program with administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
  • FACTA regulations require that consumer report information be disposed of “by taking reasonable measures to protect against unauthorized access to or use of the information….”
  • HIPAA covered entities and business associates must address the security standards for ePHI in a way that protects against “reasonably anticipated threats or hazardsto ePHI security or integrity.
  • The FTC enforces reasonable data security under Section 5 of the FTC Act, which prohibits unfair and deceptive acts in commerce, without explicitly mentioning data security and without any supporting regulatory standards for specific data safeguards.

Obviously, we can’t just put “remember to have reasonable data security” in a compliance checklist or internal audit protocol, because “reasonable” tells us nothing concrete about what specific security controls are needed to be compliant.  So, why do these laws stop short of telling us specifically what to do?

Continue Reading Why don’t data security laws simply tell us what we need to do?

disk cleanupIn a previous post I suggested that Information Technology is really in a good position to help identify and clean up ROT (redundant, obsolete, and trivial information).  Sometimes, though, IT needs a helping hand to get the attention of those who can approve a budget for clean-up initiatives.  Here’s where Audit comes in.

Over the years, I’ve seen many information governance clean-up programs come to life in the wake of an expensive e-discovery effort, or an embarrassing and costly data breach.  Needless to say, such events draw the attention of the C-suite and boards of directors.  That attention usually translates into emergency funding and action to shut down e-mail retention, delete old files, and generally do what should have been done all along: better manage information.  Audits, whether external or internal, can serve the same function.

Continue Reading InfoSec Audit’s role in cleaning up ROT

Lawyer holding a target on his faceWhile preparing for an upcoming presentation for in-house lawyers on data security, I dusted off the events of three months ago, when Yahoo! Inc. unceremoniously fired its general counsel on March 1st, the very same day it filed its 10-K for fiscal year 2016.  Yahoo’s 10-K disclosed the contemporaneous dismissal as a “Management Change” resulting from its Board of Directors’ Independent Committee investigation into Yahoo’s immense 2013-2014 data breaches, which were not disclosed until 2016. Unlike prior mega-breaches, in which the head of IT or the CEO was let go (Target, Sony), Yahoo singled out its lead in-house lawyer for firing … without separation compensation of any kind.

Henceforth, whether fairly or not, March 1 will be known as In-house Counsel Data Security Awareness Day – because it’s now clearer than ever before that in-house lawyers must take a hands-on approach to breach response, breach response readiness, and data security generally.

Continue Reading In-house Counsel in the Cybersecurity Crosshairs

When Earth Day rolls around each year, I can’t heEarth in human handslp but think of the picnic scene from Mad Men.  After Don Draper chucks his empty beer can into the pond, Betty snaps the blanket, dumping their litter across the grass, before trundling the kids off to the family car (12 MPG, leaded gas, with no emissions control).

Mad Men‘s magic was culture clash, the shocking contrast between the oblivious then – sexism, homophobia, humans as ashtrays – and our enlightened now.  What makes the picnic scene so memorable is the gobsmacking environmental thoughtlessness of that era, in which the only things green were money and envy.

And my, how far we’ve come.  We reduce, reuse, and recycle. Some of us compost, and others glare at the poor souls who still occasionally litter.  We spend extra money for energy-efficient vehicles and appliances.  We tend to buy local and organic, and we worry about chemicals in our food and water.  Most folks are concerned about climate change and believe we need to change human behavior to slow it.  In short, we devote significant thought, time, effort, and resources to be environmentally responsible.

At the same time, we remain completely oblivious to the swirling plumes of data exhaust we emit every day, and the toxic accumulations of data in the landfills of our devices, servers, and cloud accounts.  When it comes to data pollution, guess what – we’re Don and Betty.

Continue Reading Earth Day and data pollution