information governance

Subscribe to information governance via RSS

checklistIt’s a common complaint – most U.S. laws requiring data security never cough up the specifics of what must be done to comply. Unlike other areas of business regulation, data security requirements seem hopelessly vague:

  • Several states’ PII laws require businesses to implement and maintain “reasonable security procedures and practices” to protect PII from unauthorized access, destruction, use, modification, or disclosure.
  • Regulations under the Gramm-Leach-Bliley Act compel financial institutions to have a “reasonably designed”comprehensive information security program with administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.
  • FACTA regulations require that consumer report information be disposed of “by taking reasonable measures to protect against unauthorized access to or use of the information….”
  • HIPAA covered entities and business associates must address the security standards for ePHI in a way that protects against “reasonably anticipated threats or hazardsto ePHI security or integrity.
  • The FTC enforces reasonable data security under Section 5 of the FTC Act, which prohibits unfair and deceptive acts in commerce, without explicitly mentioning data security and without any supporting regulatory standards for specific data safeguards.

Obviously, we can’t just put “remember to have reasonable data security” in a compliance checklist or internal audit protocol, because “reasonable” tells us nothing concrete about what specific security controls are needed to be compliant.  So, why do these laws stop short of telling us specifically what to do?

Continue Reading Why don’t data security laws simply tell us what we need to do?

disk cleanupIn a previous post I suggested that Information Technology is really in a good position to help identify and clean up ROT (redundant, obsolete, and trivial information).  Sometimes, though, IT needs a helping hand to get the attention of those who can approve a budget for clean-up initiatives.  Here’s where Audit comes in.

Over the years, I’ve seen many information governance clean-up programs come to life in the wake of an expensive e-discovery effort, or an embarrassing and costly data breach.  Needless to say, such events draw the attention of the C-suite and boards of directors.  That attention usually translates into emergency funding and action to shut down e-mail retention, delete old files, and generally do what should have been done all along: better manage information.  Audits, whether external or internal, can serve the same function.

Continue Reading InfoSec Audit’s role in cleaning up ROT

Lawyer holding a target on his faceWhile preparing for an upcoming presentation for in-house lawyers on data security, I dusted off the events of three months ago, when Yahoo! Inc. unceremoniously fired its general counsel on March 1st, the very same day it filed its 10-K for fiscal year 2016.  Yahoo’s 10-K disclosed the contemporaneous dismissal as a “Management Change” resulting from its Board of Directors’ Independent Committee investigation into Yahoo’s immense 2013-2014 data breaches, which were not disclosed until 2016. Unlike prior mega-breaches, in which the head of IT or the CEO was let go (Target, Sony), Yahoo singled out its lead in-house lawyer for firing … without separation compensation of any kind.

Henceforth, whether fairly or not, March 1 will be known as In-house Counsel Data Security Awareness Day – because it’s now clearer than ever before that in-house lawyers must take a hands-on approach to breach response, breach response readiness, and data security generally.Continue Reading In-house Counsel in the Cybersecurity Crosshairs

When Earth Day rolls around each year, I can’t heEarth in human handslp but think of the picnic scene from Mad Men.  After Don Draper chucks his empty beer can into the pond, Betty snaps the blanket, dumping their litter across the grass, before trundling the kids off to the family car (12 MPG, leaded gas, with no emissions control).

Mad Men‘s magic was culture clash, the shocking contrast between the oblivious then – sexism, homophobia, humans as ashtrays – and our enlightened now.  What makes the picnic scene so memorable is the gobsmacking environmental thoughtlessness of that era, in which the only things green were money and envy.

And my, how far we’ve come.  We reduce, reuse, and recycle. Some of us compost, and others glare at the poor souls who still occasionally litter.  We spend extra money for energy-efficient vehicles and appliances.  We tend to buy local and organic, and we worry about chemicals in our food and water.  Most folks are concerned about climate change and believe we need to change human behavior to slow it.  In short, we devote significant thought, time, effort, and resources to be environmentally responsible.

At the same time, we remain completely oblivious to the swirling plumes of data exhaust we emit every day, and the toxic accumulations of data in the landfills of our devices, servers, and cloud accounts.  When it comes to data pollution, guess what – we’re Don and Betty.Continue Reading Earth Day and data pollution

Twenty percent solutionOK, IT mavens, listen up…how much better would your life be if you only had to manage and protect 20% of your company’s data? By eliminating 80% of your data you could free up oodles of storage, reduce licensing costs, shorten backup cycles, and drastically cut e-discovery preservation costs, not to mention go home on time for a change.  For most this is an unrealistic pipe dream, but it doesn’t need to be.  The trick is knowing which 20% to manage.
Continue Reading The 20% solution for information management and security

Destroyed CDs - shredded by a shredder.It lingers on – that vaguely guilty feeling that there’s something sanctionable, even illegal, about routinely destroying business data.  That’s nonsense.  It is well-settled United States law that a company may indeed dispose of business data, if done in good faith, pursuant to a properly established, legally valid data retention schedule, and in the absence of an applicable litigation preservation duty.

Even the courts themselves dispose of their data.  Federal courts are required by U.S. law to follow a retention schedule approved by NARA, and to ultimately destroy records or transfer them to the Federal Records Center, as directed by that retention schedule.

Here are but a few of the many case decisions on this point:

Continue Reading Why govern your information? Reason #6: It’s OK to destroy your data.

Monster Ant“What if ants were as big as dinosaurs?”  I remember asking my kids that question, forever ago when they were young.  Maybe the thought came from reruns of old monster movies, like the 1954 classic Them! (pictured here).  Anyway, it was a cool game, for as the ant’s size multiplies, the laws of math, physics, and biology play their part:

  • The ant’s exoskeleton wouldn’t be strong enough to support the increased weight, so an internal skeleton is needed.
  • Gravity would play havoc with the ant’s open circulatory system, so a closed system is crucial.
  • The ant’s energy needs would soar, and so a different diet and digestive system are required.
  • The ant’s newfound size would totally alter its place in the food chain (The Lion King, “Circle of Life,” right?), driving fundamental changes in behaviors and capabilities.
  • And on, and on.

Until, we finally end up with an ant the size of a dinosaur … that looks a lot like a dinosaur.

But what’s this have to do with Information Governance?Continue Reading Ants, Dinosaurs, and Information Governance

Baby playing with phoneThere’s been a lot of news lately about “secret” messaging in government, including inside the White House and the EPA, and last week’s revelation that Vice President Pence conducted state business with a private email account while Governor of Indiana. So there’s lots of angst right now about under-the-radar communications.  When you think about it, though, it’s really old news tied to new technology.  The only difference is the growing sophistication of the tools in the last few decades.  Old School: clandestine meetings in parking garages.  New School: disappearing messages.

What is really at issue here is not the technology, but rather the implied intent of circumventing rules (if they exist), and whether or not the communications are records. By any measure, if the communication is a record as defined by public or private rules, it must be retained.  Herein lies the problem.Continue Reading We’re still babes in the wood when it comes to electronic messaging

Vice President Mike PenceSorry to revive ugly memories of last fall’s vituperative presidential campaign, in which bile was spewed over candidate Clinton’s use of a private email server while Secretary of State, and its vulnerability to hacking.  Clinton eventually conceded that her use of a personal email server was a “mistake.”  Which it was, on so many levels.

Now, news reports indicate that Vice President Mike Pence, while Governor of Indiana, used a private email account (AOL, no less) to conduct state business.  And that some of the messages apparently contained sensitive law enforcement and Homeland Security information.  And that, unlike Clinton’s private server, Governor Pence’s personal email account was actually hackedAnd that the hack occurred (wait for it) last summer – in the midst of all of the self-righteous indignation over Clinton’s email practices.  Thankfully, Governor Pence and his wife were NOT stranded in the Philippines, and we did NOT need to wire them emergency funds.

These revelations will no doubt spur cries of bald-faced hypocrisy, and equally heated arguments that Pence’s situation is different than Clinton’s (AOL v. private server, Governor v. Secretary of State, sensitive Homeland Security information v. classified information, and so forth).

But here’s a thought – instead of yet another round of beating ourselves over the head with partisan cudgels, what if we tried something different this time?Continue Reading So, Governor Pence used his hacked AOL account for state business – can we please now depoliticize data security?

Bean of Chicago Millennium Park, Illinois, USAIt happens every day.  A company spends a huge amount of money on a new technology system, without fully addressing the information implications.  Maybe the decision (to move on-premise operations to a cloud SaaS or PaaS, or to retire and replace an enterprise database, or buy a comprehensive new tool suite) was reactive, driven by an impending crisis.  Maybe the decision-making was siloed, with IT not clearly hearing what the rest of the business truly needs (or more likely, the rest of the business not speaking up).  Or maybe IT just responded literally to a business directive of the moment (let’s get into IoT, or Big Data, or Blockchain!).  Regardless, the green light is lit, the dollars are spent … and problems ensue, painfully multiplying the procurement’s all-in cost.

What was missing? Strategic consideration of repercussions for information compliance, risk, and value for the organization as a whole, including privacy, data security, retention/destruction, litigation discovery, intellectual property, and so forth.  In other words, Information Governance.  And when was it missing?  Before the decision was made and the dollars were spent.

So, what if something could be hard-wired into the procurement process, a trigger that timely prompted decision-makers to call time-out; get focused input from all stakeholders; assess the repercussions for information compliance, risk, and value; and align the procurement requirements and purchase decisions with organizational strategy for governing information?Continue Reading X Percent for Information Governance