retention & defensible disposal

Subscribe to retention & defensible disposal via RSS

Empty SafeLast week’s post explored why law firms need data security policies.  Before we move on, I’d be remiss if I didn’t mention another policy that’s absolutely crucial for the law firm’s data security posture – a records management policy, coupled with an up-to-date and legally validated records retention schedule.

What does a records retention schedule have to do with data security?  Simply this – keeping data without a legal or business reason exacerbates data security exposures.

Breached systems frequently contain many times more data than was needed for retention compliance or any valid business or operational purpose.  This unnecessary data multiplies the number of those whose confidential or protected information is compromised, and can also have exponential impact once breached, passing a tipping point on lasting reputational damage or on the economic viability of claims against the firm.

It’s not possible for a breach to compromise the security of information that no longer exists, having already been compliantly disposed of once its legally required retention and business value have expired.

But surely most every law firm has a records retention schedule in place for its records of client matters and firm administration, right?  Actually, far too few firms do.
Continue Reading Law firm data retention – they can’t hack what you no longer have

Security dial turned to highest settingHow time flies.  Seventeen years ago, I went to work for a small, visionary company based in Seattle—Computer Forensics, Inc.   Indeed, the founder was so early in the e-discovery and forensics industry that our URL was forensics.com.  Laptop drives typically had 8 GB of storage, and servers were more often than not simply a bigger box that sat in a closet.

Lots has changed since then.  New technologies, expanded data sources and media types, and more raw data have flooded consumer and business marketplaces alike.  We’ve all seen the scary statistics on increasing information volumes and the security risks that follow.  Unfortunately, our controls for the creation, management, retention, and disposition of those data have not kept pace.  Yet how we manage our data on a day-to-day basis goes also to the heart of how we protect our data and ensure that our information assets are secure from theft or compromise.

During my years at CFI and since, I’ve found myself pondering “what if?” questions.  What if we only had to protect 20% of our information?  What if clients could take dollars earmarked for e-discovery and increased storage and spend them instead on better systems and operational improvements?  What if a client faced with the reality of a data breach didn’t have to wonder how many unnecessary skeletons were now visible?  The promise of information governance is that we can answer these questions affirmatively.  This is good news, and more importantly, news you can use.
Continue Reading Information governance – the foundation for information security

Fried egg on the sidewalk
“This is your information, ungoverned.”

2017 was rife with data dangers.  Nary a day passed without headlines of massive data breaches and ransomware attacks; Russian election-meddling through WikiLeaks and social media; fake news; and presidential tweet-storms.  Disruptive information-driven technologies continued to emerge, from block-chain to biometrics, IoT, AI, and robotics.  Meanwhile, the sheer volume of our personal and business data inexorably grew.

What better way to start 2018 than with a renewed commitment to Information Governance?  So, here are a dozen reasons why your organization should govern its information, in 2018 and beyond: 
Continue Reading 12 reasons to govern your information in 2018

Charging ElephantOur firm’s elephant icon is a nod to The Blind Men and the Elephant, the familiar, age-old parable for how we often do not see the big picture, but instead only the parts we directly encounter. And so it goes for organizations’ data. Individual company functions and departments often have their own, limited perspectives on information, seeing only the risks and opportunities with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk.

I actually prefer a slightly different version, The Blind Elephants and the Man:

One day, six blind elephants were in a heated argument about what Man was like. To resolve their dispute, they sought out and found a man. The first elephant “felt” the man and then proclaimed “Man is flat.” Each of the other elephants, in turn, felt the man, and they all agreed.

The moral? Limited perspective not only yields limited perception – it can also lead to very bad results.

“Information Governance” has become an overused buzz-phrase, often trotted out as marketing mumbo-jumbo for selling technology tools.  In all the hype one can easily lose track of what it really means.  At its heart, Information Governance is no more – and no less – than making sure the organization sees the big picture of information compliance, cost, risk, and opportunity when making strategic decisions.
Continue Reading Why govern your information? Reason #2: Your information risks and opportunities arise from a single source – your data. Your response strategies should be synchronized too.

It’s a common nightmare.  As you toss and turn in bed, you picture yourself on a strange playing field with other athletes swirling around you.  You have absolutely no idea what sport you are playing, nor a clue what the rules are.  it’s not only embarrassing – it’s downright dangerous.

This is not just a bad dream – it’s reality for companies possessing third-party data without clarity on what rules and responsibilities apply.
Continue Reading Why govern your information? Reason #3: “Your” information may belong to others … and you’re responsible to take care of it.

Am I Drunk signWe’re addicted to information, but we can’t stand to think about it again once we’ve seen it, saved it, hoarded it.  Why?  We collect or create it in the moment, but have no thought or plan for its future.  Even when it was once and briefly useful, neglected information soon becomes the effluvium of our digital landfills.  And, like most landfills, the odor is disagreeable and no one wants to be near it.

Pinterest and the P:\ Drive

There is little doubt that social and cultural factors exacerbate and feed our addiction.  The immediate gratification of social media interactions, and the availability of “productivity” tools and data storage accelerate the accumulation of information.  “People hoard because they believe that an item [information] will be useful or valuable in the future. Or they feel it has sentimental value, is unique and irreplaceable . . . . They may also consider an item [information] a reminder that will jog their memory, thinking that without it they won’t remember an important person or event. Or because they can’t decide where something belongs, it’s better just to keep it.

How to Change

Addiction draws us into information overload, but our aversion to uncertainty keeps us from managing what we save or create.  Part of the challenge is that it’s just too hard to focus on something so big, yet so invisible.  We’ve all read the stats on how much information is created each year, but who understands how much 5 exabytes of information is anyway?   It’s beyond our tactile experience—like knowing how many gallons of water are in the ocean, or stars in the sky.

In thinking about change, Tali Sharot, associate professor of cognitive neuroscience at University College London, proposes, “Messages that tap into basic human desires — such as the need for agency, a craving for hope, a longing to feel part of a group — are more likely to have impact.”

In a previous post I talked about the consequences of allowing our private selves to bleed into our work selves.  The answer comes back to the summary of human desires, “what’s in it for me”?  So, using Dr. Sharot’s examples, I add here to the list of things we can do for ourselves, and ultimately for our organizations:
Continue Reading Addiction and aversion … the yin and yang of information

clouds and lightningIf you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes).  How quaint.  We no longer keep most of our information – providers do that for us.  We store our data in the cloud, through cloud providers.  We outsource business applications to SaaS providers, and even entire systems as PaaS.  And we increasingly use service providers to handle key aspects of our business that we used operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge data troves on our behalf.

But we’re still accountable for our information in others’ hands:

  • Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.       
  • Data security – we’re generally responsible for data breaches suffered by our service providers.  Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators.  Regardless, in the wake of a service provider data breach, we’re in the hot seat.
  • Business Continuity – if we need to promply restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
  • Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies.  At worst?  See Litigation, Data Security, and Business Continuity above.

Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our data in other’s custody.

And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example:
Continue Reading Why govern your information? Reason #4: Your information is in others’ custody … but you’re still responsible for it.

“GarGarbage Dumpbage in, garbage out” – we know that already, right?  Well … what we know about information quality and what we do are not always in sync. Just for kicks, consider information quality through the lens of the industrial quality movement.

Looking down from 30,000 feet, the history of industrial quality goes something like this – Medieval Guild craftsmanship, then Industrial Revolution product inspection, and then the post-World War II focus on quality process management.  It sounds arcane, until one remembers the 1980’s visceral fear that Japanese manufacturers were beating the pants off of U.S. manufacturing in terms of quality and value. Enter W. Edward Deming, who had been deeply influential in Japan’s post-war industrial recovery, and who became the evangelist for quality management practices in U.S. industry.  Deming exhorted American management to adopt product and service quality as the driving force in all business practices.

What’s that got to do with Information Governance?  It’s this – regardless of industry, in today’s world you’re actually in the information business.  So, business quality increasingly means information quality.  
Continue Reading Why govern your information? Reason #5: Bad information results in bad decisions.

disk cleanupIn a previous post I suggested that Information Technology is really in a good position to help identify and clean up ROT (redundant, obsolete, and trivial information).  Sometimes, though, IT needs a helping hand to get the attention of those who can approve a budget for clean-up initiatives.  Here’s where Audit comes in.

Over the years, I’ve seen many information governance clean-up programs come to life in the wake of an expensive e-discovery effort, or an embarrassing and costly data breach.  Needless to say, such events draw the attention of the C-suite and boards of directors.  That attention usually translates into emergency funding and action to shut down e-mail retention, delete old files, and generally do what should have been done all along: better manage information.  Audits, whether external or internal, can serve the same function.

Continue Reading InfoSec Audit’s role in cleaning up ROT

When Earth Day rolls around each year, I can’t heEarth in human handslp but think of the picnic scene from Mad Men.  After Don Draper chucks his empty beer can into the pond, Betty snaps the blanket, dumping their litter across the grass, before trundling the kids off to the family car (12 MPG, leaded gas, with no emissions control).

Mad Men‘s magic was culture clash, the shocking contrast between the oblivious then – sexism, homophobia, humans as ashtrays – and our enlightened now.  What makes the picnic scene so memorable is the gobsmacking environmental thoughtlessness of that era, in which the only things green were money and envy.

And my, how far we’ve come.  We reduce, reuse, and recycle. Some of us compost, and others glare at the poor souls who still occasionally litter.  We spend extra money for energy-efficient vehicles and appliances.  We tend to buy local and organic, and we worry about chemicals in our food and water.  Most folks are concerned about climate change and believe we need to change human behavior to slow it.  In short, we devote significant thought, time, effort, and resources to be environmentally responsible.

At the same time, we remain completely oblivious to the swirling plumes of data exhaust we emit every day, and the toxic accumulations of data in the landfills of our devices, servers, and cloud accounts.  When it comes to data pollution, guess what – we’re Don and Betty.Continue Reading Earth Day and data pollution