By Heidi Maher – Executive Director, Compliance, Governance & Oversight Counsel, IBM Analytics
Board members and executives are increasingly aware that a lack of governance creates risk, limits achieving organisational best and increases overall cost to the organisation. As a result, many executives now demand a seat at the information governance (IG) table when developing policies for the information their organisations create and collect. This is a positive evolution from a time when requests by IT and records information management (RIM) stakeholders for executive participation were often ignored, making programme approval difficult to obtain.
Today, IT, RIM, legal, compliance and security stakeholders and their C-level heads are far more likely to work together from the beginning to create a programme satisfactory to everyone.
Data-driven businesses, however, don’t just create and collect consumer information. They also acquire it in a variety of ways, including mergers and acquisitions (M&As) and they rely on information supply chain partners to host and manage data in the cloud. Unfortunately, this exposes organisations to the risk of significant fines and damage to reputation because today’s legal and regulatory environment makes organisations potentially responsible for the sins and failures of their acquired companies and supply chain partners.
Despite this, most boards have remained focussed on the financial benefits associated with M&A activity and the movement to the cloud, not on developing the insight they need to evaluate the risks related to inadequate IG practices and weak information security on the part of M&A targets and partners. Because the failure to gain this information puts shareholder value at risk, it’s time for boards to expand their IG awareness to all data that touches their organisations.
Shifting information landscape
Organisations like the Compliance, Governance, and Oversight Council (CGOC) have pushed for comprehensive IG programmes and increased executive involvement for more than a decade and we have seen much progress. But the information landscape has changed dramatically during the last few years.
The amount of data
IBM estimates that in 2012, we were creating 2.5 quintillion bytes (or 2.5 billion gigabytes) of data every day and, as of 2013, 90 per cent of existing data had been created during the previous two years. In addition, the amount of dark data, which leading IT research organisation Gartner defines as ‘the information assets organisations collect, process and store during regular business activities, but generally fail to use for other purposes,’ is doubling every 18 months– and most organisations have no idea of the value of this information or the risks associated with it.
Types of data
Five years ago, our focus was on governing email: what to retain and for how long, what to archive and when, etc. Now, most organisations control email with clear, defensible retention policies that also eliminate serious storage and e-discovery issues related to unnecessarily saving massive amounts of email content.
However, many organisations using today’s Unified Communications (UC) solutions, such as Microsoft Lync and IBM Sametime, and producing vast amounts of social media content have failed to implement retention schedules for the additional forms of communication, including text messages and blog posts. When this information is not properly governed, ensuring regulatory compliance and responding to e-discovery requests become far more complex and costly.
Legal and regulatory liability
Tasked with protecting consumers from unfair and deceptive business practices, the Federal Trade Commission’s (FTC) Bureau of Consumer Protection now launches an investigation if it detects risky behaviour regarding the security of customer data. No actual injury or breach is required. FTC enforcement has skyrocketed in recent years and companies found to have substandard security practices may face penalties. Any organisation dealing with consumer information is vulnerable.
Meanwhile, a ruling in Remijas v. Neiman Marcus Group, LLC (2015 US App LEXIS 12487, *18 (7th Cir. 2015)) has made it easier for consumers to sue a company after a breach involving their personal data. Consumers no longer have to show a risk of ‘imminent’ and ‘concrete’ injury in order to bring a suit, which means that a company’s failure to properly oversee data and how it responds to a breach may be sufficient grounds to sustain class actions by impacted customers. Previously, many companies avoided these lawsuits by invoking Clapper v. Amnesty International (133 S. Ct. 1138 (2013)), which required showing a risk of ‘imminent’ and ‘concrete’ injury in order to have standing to bring suit. This shift puts breached companies at much greater risk of class action lawsuits.
The above developments will dramatically increase the already skyrocketing cost of breaches. According to the Ponemon Institute, over the past year, the cost of data breaches due to malicious or criminal attacks has increased from an average of $159 to $174 per record. To put that in perspective, retail giant Target’s breaches in December 2014 and January 2015 involved as many as 110 million customers.
Mergers & acquisitions
It is black-letter law that a corporation generally assumes the liabilities of another company when acquiring or merging with that company. The consequence of this can be disastrous if the acquired information was not subject to current IG guidelines related to retention policies, data privacy, information security and e-discovery.
An important caveat exists with regard to FCPA liability if the ‘[s]uccessor liability does not … create liability where none existed before. For example, if an issuer were to acquire a foreign company that was not previously subject to the FCPA’s jurisdiction, the mere acquisition of that foreign company would not retroactively create FCPA liability for the acquiring issuer’. However, the Department of Justice Opinion Release No. 14-02 seems to indicate that if the successor company continues to financially benefit from the assets or actions and does nothing to divest itself of the ill-gotten gains, then they may be subject to prosecution. Despite these risks, most M&A due diligence remains focussed on financials and synergies, not on IG, and rarely do executives and board members insist on a risk analysis of the post-deal information environment.
Information supply chain partners
To move information to the cloud, most organisations rely on partners to store and manage their data. While these partners have developed expertise in data security, board members should consider a number of other issues.
Amazon Web Services (AWS), for example, protects access to data; however without added options should a breach occur, the data stored in AWS is typically unencrypted, allowing a successful hacker free range. Further, some sync-and-share sites actually contract with other providers for the physical storage infrastructure. While an organisation may ensure its contract with a sync-and-share company complies with its governance policies, it will not automatically have insight into the sync-and-share company’s contracts with its storage providers.
If, for example, a sync-and-share customer deletes information in compliance with its retention policies, what guarantees exist that the information has actually been deleted from the physical servers? AshleyMadison.com charged $19 for a deletion option that supposedly scrubbed personal information from its servers, but leaked data apparently included details that should have been scrubbed.
Apply information governance to all data
Board members should insist that due diligence performed on M&A targets and information supply chain partners includes a review of their IG practices to ensure unified governance, process transparency and policy integration for the post-deal or post-contract environment.
The ability to do this starts with a comprehensive IG programme that defines and maintains a content strategy for the extended organisation. The Information Governance Reference Model (IGRM) was developed by EDRM to provide a framework of policy and process integration across all information stakeholders, including IT, business, legal, RIM, security and privacy. Such integration enables each stakeholder to understand the current business value of each information asset and the legal and regulatory issues related to it.
This holistic approach to evaluation – whether of currently held information, information to be acquired, or information in the hands of third parties – enables a deeper understanding of potential risks. It also enables organisations to expand defensible deletion practices to all data assets, especially newly acquired datasets and the volumes of data being moved to cheap cloud storage. The less data that exists, the less information can be exposed by cybercriminals, careless employees, IT malfunction, or an e-discovery request. For example, Delta Airlines is potentially facing nearly $5 million in financial sanctions for failing to produce documents on previously undiscovered back-up tapes.
IG best practices
Key best practices for implementing the IGRM include:
People The Information Lifecycle Governance Leader Reference Guide, published by the CGOC, explains the benefits, strategies and core processes required to drive real change in an organisation. But taking even the earliest steps requires having the right people involved. An executive committee, including the CIO, CFO, general counsel and other officers, ensures the programme development effort is not wasted and that it will enjoy strong support. A senior advisory group of line-of-business leaders ensures the programme is responsive to individual business goals. A programme office drives and measures progress and directs a working group of the information stakeholders, who will develop and mature the policies and processes.
“The less data that exists, the less information can be exposed by cybercriminals, employees, IT malfunction or an e-discovery request”
Processes Once the people are in place, it’s time to develop a strategy for improving and integrating the typically siloed processes and practices of IT, business, legal, RIM, security and privacy. The IGRM provides a framework for linking information duties and value to the data assets that IT stores and manages to more effectively tie information demand to infrastructure supply. Further, CGOC’s Information Lifecycle Governance Leader Reference Guide provides a maturity model for 18 specific processes required to lower cost and risk and institutionalise defensible disposal, value-based archiving and retention and rigorous e-discovery. A Working Group comprised of practice delegates and function leaders also ensures that the processes and actions are designed to achieve the business goals, that there is sufficient capacity to execute those actions and that there will be ways to measure progress.
Technology Policies requiring intensive manual labour from any of the information stakeholders will have a low success rate, so technology should be used to automate legal holds, records retention, de-duplication and proper tiering and disposing of data that no longer has business, legal or regulatory value. It is also essential that a single data source catalogue be shared between the policy makers (in business, legal, RIM, security and privacy) and those organisations that execute the policies. Further, having tools with the capability of providing analytics around transactional data can assist in testing corporate systems for potential bribery and corruption risks. Once risky transactions are identified, they can be automatically transferred to a case management tool for review.
And finally… 10 questions board members should ask
When driven by the board and supported by company executives, developing and implementing an IG programme that applies to the extended enterprise is significantly easier because the programme will reflect all the horizontal and vertical requirements of the organisation.
The IG programme – its people, processes and technology – also becomes the foundation for developing a holistic, detailed and consistent approach to evaluating M&A targets and information supply chain partners
- What is the history of the company with regard to the following?
a) Corruption investigations
b) Data breaches and the effectiveness of the responses
c) EU Data Protection investigations or actions
d) Litigation frequency and amount in controversy
- Does the company have regular contact with the authorities in matters such as licenses, regulatory approvals, taxation or customs?
- Does the company have a Chief data officer? Chief privacy officer? Chief compliance officer?
- What foreign markets does the company operate in and what are the common risks or points of exposure in each?
- What kinds of compliance programmes does the company have in place?
- How well has the company implemented these policies? What are the consequences for violations?
- To what extent does the company use third-party agents to conduct business?
- What is the company’s data growth rate and what is its data disposal rate?
- Does the company have an updated data map of its digital assets?
- What is the involvement of C-Level executives in IG programmes?
Heidi Maher is Executive Director of Compliance, Governance and Oversight Counsel (CGOC)
Heidi is an attorney and a legal technology specialist who has advised hundreds of organizations on information governance around data security, compliance and eDiscovery. From assessing maturity levels and drafting readiness plans to helping implement internal procedures and technology solutions, Heidi has helped move organizations make the move from theory to practice from within the in industry and as an external advisor.
Previously, she was a legal subject matter expert for a fortune 150 technology company, a felony prosecutor, a litigator, an assistant state attorney general, and the public information officer for the second largest environmental agency in the U.S