Reaching Information Governance Success Through Baby Steps

From protecting sensitive customer data from cyber threats, to complying with data privacy laws, and responding to investigations, corporate information governance efforts are quickly becoming “must-do” projects. While these projects often start with compliance teams, they also share many of the same drivers that spur initiatives within other departments. Can these disparate teams get on the same page to leverage existing and emerging information governance projects for their own separate needs? And if so, how can they produce measureable benefits from them?

Companies that have been hit the hardest by data breaches, a high volume of litigation, or extensive internal investigations have been forced to take an active approach to information governance, and the most sophisticated among these have begun to appoint chief data officers to lead the charge. However, the majority of corporations typically take a collaborative approach to tackling information governance, pulling in C-level stakeholders from various departments, including records and compliance, IT, legal, security and others. Often the COO or CIO leads these efforts, but regardless of who is spearheading the initiatives, they still tend to flat line before any meaningful results are realized.

To further illustrate the problem, FTI Consulting’s latest Advice From Counsel study, “Measuring Your E-Discovery Program Against Industry,” (July 2015) noted that despite a growing awareness of information governance, data retention and deletion policies at large corporations are still lacking in many ways. The study included responses from interviews among counsel and e-discovery professionals at Fortune 1000 corporations. Among the respondents, 41% said their companies retain emails for more than three years, and another 10% indicated they don’t know for how long the company retains documents, or if a policy even exists. This further highlights the opportunity for stakeholders to influence and improve these processes, and ultimately mitigate risk.

The records management organization within a company is uniquely positioned to make an impact in these initiatives. Unfortunately, all too often records managers devote extensive resources to creating lengthy, verbose policy documents that are not widely read, practiced or enforced—making the quest for perfection their worst enemy. With new challenges mentioned above, and others brought forth by big data—the continually increasing volume, variety and veracity of electronic documents—and the demands of e-discovery, it is time for professionals in this field to begin driving some much-needed change.

Records managers have a wealth of knowledge that can be applied to emerging challenges, and by simply adopting a more practical approach and letting go of intangible processes, real progress can be made toward addressing data overload. Most information governance projects never get off the ground, despite the fact that they are driven by acutely felt pain points. The reason for this is that many information governance initiatives take time for benefits to materialize, and they rarely offer immediate rewards. The key is to engage key stakeholders across internal organizations and plan to take it step by step, viewing the attainment of one or two teams’ initial goals as an overall success.

Making the Plan

There are a handful of tactical projects that can help improve employees’ day jobs now, while simultaneously building toward a broader future vision. For records management professionals looking to drive this process, they must agree to forego perfection and start small.

As an example, one client I work with has an ongoing struggle with its email archive platform. Due to the lack of attention that has been given to remediating data and keeping the archive manageable, it takes the company three weeks just to extract the data from the archive for e-discovery purposes. When SEC investigators give a 72-hour deadline to respond to a query, the company is stuck in an impossible quandary. At the start of every new investigation, the team is already three weeks behind deadline. The size of the archive at this client is worsening every day, and prohibiting the company from addressing the problem, because it simply seems too big to undertake. In order to deal with this issue, key stakeholders must act with a day one-forward approach for new data, and a separate remediation effort for legacy data. But without the involvement of the legal department to emphasize the critical nature of the problem, IT can’t move the initiative forward.

Below are four action-oriented projects that records managers can take in partnership with legal and other departments to both solve immediate pain points and create a sound information governance infrastructure. Through these initiatives and a “baby steps” mentality, the overall information governance goals can be reached with measurable successes along the way.

Get rid of legacy data and adjust policy going forward. A critical first step in information governance is dealing with legacy storage by refreshing backups, eliminating storage tapes and enforcing archiving policy. In order to remediate legacy back-up tapes as an information governance project, legal and compliance must collaborate to take inventory of and address any regulatory and legal hold obligations on the data. This process can also be a forcing function to standardize legal hold policies.

For example, if an organization has 100,000 back-up tapes, perhaps only 100 of those are subject to current legal holds. At any time, a matter may arise that lays claim to 60,000 of those tapes; but if they are remediated as part of an overall (and enforced) archiving policy before that happens, they can’t fall under future legal holds. The key is to take these actions as soon as possible, and put enforceable, sustainable data retention policies in place for all data moving forward. Taking this kind of proactive approach can save a company millions of dollars in the long run.

Bring unstructured data under control. Every organization contains unstructured data that includes confidential or personally identifiable information that may be subject to privacy laws, such as HIPAA in the case of healthcare organizations. Banks are another example of corporations with a lot of regulated data—such as credit card information—to which many people have access. With serious data breaches occurring more frequently and no industry professing immunity to these attacks, new laws are emerging that prohibit and/or regulate the storage of this type of data. In addition to the extensive costs that arise during the aftermath of a data breach, companies now have legal and regulatory obligations for how they manage sensitive information.

A recent study by Ponemon Institute and IBM found that the average data breach in the US costs $5.9M, or $200 per breached record. This issue isn’t going away, and introduces a critical information governance pain point. Taking the time to scan the file shares for sensitive data, identify critical information and get it under lock and key can help mitigate the substantive risks of loss of IP and trade secrets, and the procedural risks involved with managing a data breach. In today’s world, this is something that needs to be done for legal and regulatory reasons and is a core building block toward overall information governance.

Modernization of messaging archiving. Email archives are one of the most under-maintained systems within an organization. Data volumes have grown to a point where archives are bursting at the seams and beginning to fail and crash. The problem has grown to a point that can no longer be ignored. Searching data in the archives for e-discovery purposes can take days or weeks, and that’s only to get the data out, which can cause serious issues when a corporation is trying to respond to a regulator. Most archives are built on aged technology that desperately needs to be updated.