information management

Subscribe to information management via RSS

Businesses in the United States have a new imperative to carefully manage records retention and promptly dispose of unnecessary information (and no, it’s not due to GDPR or other global privacy law developments).  Recent changes in U.S. data security and privacy laws, and the trends they portend, are elevating the disposal of unnecessary data from a risk management strategy to a compliance requirement.

Managing data volumes has always been prudent.  Using retention schedules to curb relentless data growth remains an established, sensible way to keep business operations efficient, manage storage expense, mitigate ediscovery costs, and limit data security and privacy exposures.  Perhaps the most trenchant explanation was offered by former U.S. District Court Magistrate Judge John Facciola:  “If your clients don’t have a records management system, they may as well take their money out into the parking lot and set it on fire.”

But as a matter of pure legal compliance, U.S. federal and state laws have historically followed a “mandatory minimum” retention approach, requiring that businesses keep specified records for at least a mandated retention period, but not compelling disposal.  With precious few exceptions, U.S. businesses have not been legally required to (1) manage data with retention schedules and (2) dispose of unnecessary data.  And U.S. privacy and data security laws have generally been silent on retention periods for protected information.  For example, HIPAA and its Privacy and Security Standards impose no retention period on covered entities for protected health information (PHI); the Gramm-Leach-Bliley Act (GLBA) and its federal functional regulators’ privacy regulations and Interagency Security Guidelines do not explicitly require financial institutions to dispose of unnecessary nonpublic customer information (NPI); and the FACTA Disposal Rule only speaks to how, not when, to compliantly dispose of consumer report information.

Well … that was then, and this is a new now, driven by recent changes in U.S. data security and privacy laws.  I’ll dig deeper into these developments in upcoming posts, but here are the high points:
Continue Reading For U.S. businesses, less data is more than ever

People on peak mountain climbing helping team work , travel trekking success Management support is crucial for successful Information Governance initiatives. This is not merely a question of initial project and budget approvals. Most Information Governance initiatives involve behavioral changes in how data is handled, and in many instances, aspects of organizational culture may be impacted. No matter the ultimate benefits, any initiative involving behavioral change will

People on peak mountain climbing helping team work , travel trekking success

Selecting the right initial project(s), determining outcomes and measures, and preparing the business case are important groundwork for your Information Governance initiative, as discussed in Part 1.  But to secure resilient management support for an ongoing initiative, you’ll also want to tie the individual projects to strategic objectives for Information Governance at your organization.

money blowing awayI’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, you’re the “Manager of Money,” right? 

“Nope – that’s indeed my title, but I don’t have the authority to manage all of RabbitHole’s money. My focus is just on the paper money, not electronic accounts and transfers. And I only keep track of the paper currency that is boxed up and kept off-site – what employees do with money day-to-day is up to them, their business units, and the company’s Money Policy.”

What does the Money Policy say?
Continue Reading What if companies treated their money like their information?

Our firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions.

The Information Governance perspective is a ready-made, scalable resource. Any organization can make meaningful headway, right away, by simply adopting an inclusive IG perspective when addressing information matters, before investing in significant organizational changes and expensive technology tools.

What does this mean? Simply this – whenever any information-related issue is dealt with or decision will be made by your organization, be sure to ask the following:
Continue Reading Why govern our information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  It all feels beyond embarrassing, and downright dangerous.

This is not just a bad dream – it’s the reality for companies possessing third-party data without clarity on what rules and responsibilities apply.

Most companies possess some data that they do not truly and solely own.  Perhaps your company signs a nondisclosure agreement and obtains others’ information while evaluating a business opportunity.  Or maybe your company is a service provider that receives or generates data on behalf of customers or clients.  Your company has possession of the data, but it remains responsible to the third-parties if there’s a problem.

What kinds of problems? Well, what if the third party’s data is lost, corrupted, misappropriated, hacked, or held for ransom?  What if the cost of maintaining the information, after the work concludes or need passes, becomes onerous?  What if the information becomes relevant in future litigation?  Who is authorized to make decisions about the information when the unexpected happens, and who is responsible for the expenses and exposures?

Information Governance – your organization’s strategic approach to managing information compliance, cost, and risk while maximizing information value – is tailor-made for this commonplace scenario.  Here’s how it works:
Continue Reading Why govern our information? Reason #3: “Your” data may actually belong to others … and you’re responsible to take care of it.

“GarGarbage Dumpbage in, garbage out” – we know that already, right?  Well … what we know about information quality and what we do are not always in sync. Just for kicks, consider information quality through the lens of the industrial quality movement.

Looking down from 30,000 feet, the history of industrial quality goes something like this – Medieval Guild craftsmanship, then Industrial Revolution product inspection, and then the post-World War II focus on quality process management.  It sounds arcane, until one remembers the 1980’s visceral fear that Japanese manufacturers were beating the pants off of U.S. manufacturing in terms of quality and value. Enter W. Edward Deming, who had been deeply influential in Japan’s post-war industrial recovery, and who became the evangelist for quality management practices in U.S. industry.  Deming exhorted American management to adopt product and service quality as the driving force in all business practices.

What’s that got to do with Information Governance?  It’s this – regardless of industry, in today’s world you’re actually in the information business.  So, business quality increasingly means information quality.  

Key attributes of data for business are sometimes referred to as the four Vs: volume, variety, velocity, and veracity.  Most folks focus on the first three, but the veracity of data – its integrity, its reliability, its quality – is crucial for business decision-making.   In a 2016 survey of executives by the Chartered Institute of Management Accountants, 80% of respondents admitted that their organization used flawed information to make a strategic decision at least once in the last three years. And IBM estimates that poor data quality costs the U.S. economy $3.1 trillion each year.
Continue Reading Why govern our information? Reason #5: Bad information results in bad decisions.