If you’re old enough, you’ll remember a time when businesses actually kept their own information (cue my adult children to roll their eyes). How quaint. We no longer keep most of our information – providers do that for us. We store our data in the cloud, with cloud providers. We outsource business applications to SaaS providers, and even entire systems as PaaS. And we increasingly use service providers to handle key aspects of our business that we used operate internally, resulting in a robust flow of data out of our businesses to such providers, and also the providers generating, receiving, and retaining huge troves of business data on our behalf.
But we’re still accountable for our information in others’ hands:
- Litigation – the scope of permissible discovery, and of the preservation duty, extends not only to data in our possession or custody, but also to data within our control.
- Data security – we’re generally responsible for data breaches suffered by our service providers. Under most breach notification laws, including HIPAA and state breach notification statutes, our service providers must notify us of data breaches, but we are still responsible for providing notice to affected individuals and regulators. Regardless, in the wake of a service provider data breach, we’re in the hot seat.
- Business Continuity – if we need to promptly restore data due to ransomware or other causes of business interruption, it doesn’t matter who’s the custodian – all that matters at that moment is timely and effective restoration.
- Retention – third parties retaining information longer (or shorter) than our retention schedule cause us to be at best inconsistent and out of compliance with our information management policies. At worst? See Litigation, Data Security, and Business Continuity above.
Our litigation preservation duties do not vanish for information hosted elsewhere but still in our control; our data security obligations do not evaporate when we house protected data with a service provider; our imperatives of data integrity and accessibility have no exceptions based merely on data storage location; and our records retention and destruction rules do not disappear if our data is hosted remotely. In other words, we still need to govern information compliance and risk for our business data in other’s custody.
And this is a perfect example of the value of Information Governance. A key benefit of the IG perspective is that it enables organizations to take useful strategies from one established discipline and apply them more broadly. The importance of service provider controls is well-established in the data security discipline. For example: