Information governance is often thought about in the context of IT efficiency, data security and regulatory compliance. While it is true that these are the most critical drivers for executing data governance programmes, there is an equally important factor that deeply resonates with a corporation’s board and C-suite: reputational risk.
Just as trust is a key and fragile pillar for relationships in our personal lives, it is essential – among shareholders, clients, customers and employees – for a business to thrive. Ultimately, top company leadership is responsible for managing reputational risk and ensuring that the overall direction of the company will uphold trust in the brand.
As we’ve seen countless times, failure to handle data properly often results in damaging data breaches, which beyond legal and compliance violations, break trust and allow doubt to become part of a company’s image. Thus, it is critical that the board views information governance (IG) as being about compliance and legal risk, as it must be, but also as an effort to instil a high standard for ethics and privacy into the company’s culture. By embracing this mindset, a corporation’s leadership can set the correct tone from the top down, building advocacy for actionable programmes that ensure safe and responsible handling of sensitive data, as well as strong compliance and efficiency.
“BECAUSE THE GENERAL COUNSEL HAS HISTORICALLY BEEN THE GO-TO STAKEHOLDER FOR DEALING WITH HIGHLY SENSITIVE ISSUES… THE CORPORATE LEGAL TEAM IS UNIQUELY POSITIONED TO LEAD THE CHARGE TOWARDS PROACTIVE DATA GOVERNANCE”
Because the general counsel (GC) has historically been the go-to stakeholder for dealing with highly sensitive issues – primarily for litigation and investigations – the corporate legal team is uniquely positioned to lead the charge towards proactive data governance. Given this fact, the issue of ethical obligation comes into play. In the US, federal and state laws require companies to implement reasonable security protections to safeguard personal data. There is a wide range of similar requirements around the world.
Beyond the duty to disclose, legal teams also have an ethical obligation to maintain a level of technical knowledge. In Day v. LSI Corp., in-house counsel was sanctioned for failing to document and supervise the discovery collection process and for allowing the company’s document retention policy to be ignored. In the context of IG, this is important, as legal teams must have a clear understanding about data sources and retention practices, the impact of how they choose to handle electronically stored information, and accuracy of how facts are represented to regulators, opposing parties and the courts. Ultimately, these points illustrate the fact that ethical obligations cannot be overlooked when considering the GC’s role in IG efforts.
Top issues for 2017
A handful of key themes will impact IG decisions in the coming year and should be on GC’s radar as they look to establish or evolve governance programmes. These high-priority agenda items include:
1. E-discovery process optimisation
Over the last 10 years, we’ve seen an evolution in e-discovery processes among certain corporations, such as financial services or other highly regulated organisations that face high volumes of complex litigation. These organisations were at the forefront of establishing robust in-house e-discovery capabilities and today are ahead of most. Now, with process maturity, a broader variety of organisations are beginning to take similar steps to standardise and streamline e-discovery.
Corporations are looking to optimise in-house processes, from legal holds and handling complex investigations and litigation, to stronger collaboration between legal and IT functions. This includes vetting tools and ensuring rigorous in-house expertise, bolstering capabilities to efficiently scale to increasing data volumes and ensuring automated processes are defensible.
2. Increased Cloud adoption and migration to the Cloud
Many firms are in the process to migrate as much of their data as possible to the Cloud in the next five years. This includes migration to Microsoft Office 365, which analysts have flagged as an increasing pain point for IG and e-discovery. Implementation of Cloud services will introduce a variety of IG considerations, ranging across email archiving issues, data preservation requirements, cross-border regulations, data security and e-discovery processes. In order for corporations to fully realise the many benefits that Cloud services offer, there are important steps for legal teams to take before migrations begin.
As a corporation’s Cloud strategy develops, legal and compliance teams should be engaged early on to advise on regulatory and legal hold considerations, as well as varying cross-border and security sensitivities. Alain Pelluch, data privacy manager at Novartis International AG echoes this sentiment, saying: “As companies are planning to move data to the Cloud, IT should engage legal and data privacy functions early in the process to help mitigate risk in a legally compliant, cost effective and pragmatic fashion.”
3. General Data Protection Regulation (GDPR)
This new European data protection directive will come into force in 2018 and corporations need to spend the coming year putting a response strategy into place; ensuring there is a budget to implement the necessary programmes and technology needed to comply. Legal teams must understand that beyond European corporations, GDPR will impact any organisation that controls or processes personal data pertaining to EU citizens.
Personal data can range from an IP address to biometric data. Beginning an IG programme will help gain better control over data by informing what data exists, where it is, where it flows to and from and its corresponding regulatory obligations. Any IG effort that is aimed at getting the data house in order will help with preparing for this wide-sweeping regulation.
4. Cybersecurity
Globally, there are dozens of laws that regulate how corporations need to approach and maintain cybersecurity and what they must do in the event of a data breach. IG is a key part of acting to ensure security commensurate with risk. In January 2016, the EU Parliament approved the Network and Information Security (NIS) Directive, which, once approved by the Council of Ministers, will require EU countries to implement it into national law within 21 months. The regulation states countries must establish breach-response procedures, including expedited preservation, search and seizure, and interception of computer data (among others); and cooperate through mutual legal assistance and prosecute cybercrimes committed within their jurisdictions.
The US has similar federal and state laws that outline how corporations must respond and communicate in the event of a breach; and fines can result if reporting is not carried out in a timely and thorough manner. The Computer Fraud and Abuse Act and the Electronic Communications Privacy Act prohibit unauthorised computer access and interference to obtain data.
The UK, Canada, France, Germany, Japan, India, Singapore, Australia and others have varied laws to this extent. As cybersecurity threats and regulations evolve, it is important that legal teams remain informed about the legal aspects of managing cyber risks and map out unique programmes for handling them in each region where the corporation does business.
5. AI and machine learning
Advanced technology has emerged that can accelerate IG remediation and support in investigations and litigation. While many lawyers are beginning to adopt advanced analytics for e-discovery purposes, we are just scratching the surface of how they can be applied to IG projects. Corporations still have reticence about utilising machine learning tools and predictive coding, which only gained court approval for use in e-discovery in the UK last year; but it can be useful in taking large amounts of data and classifying it in an efficient way. Leveraging machine learning as part of an overall information classification approach can help reduce manual efforts.
Corporations must be prepared to defend how data is preserved and deleted, so it is important to maintain the right balance of people, process and technology, especially when using advanced tools. As legal teams evaluate predictive coding and advanced analytics, it is important to secure qualified experts that can advise on how the technology can best be utilised.
Taking action
With the above issues in mind, there are key actions the GC can take in partnership with the board and other C-level stakeholders to move IG programmes forward.
1. Obtain board and C-level support: To be successful, IG must be a cross-stakeholder initiative with sponsorship from top company leadership. The board should expect legal and other departments to work together to determine enterprise-wide initiatives and programmes that will benefit from solid IG practices. Stakeholders can partner to achieve their range of unique goals through the implementation of a single IG effort.
Further, when corporations build their risk framework, the process includes a standardised prioritisation of the highest risks, such as regulatory/sanctions, reputational damage, etc. With this framework in hand, legal advisors can evaluate which risk categories IG will impact and balance that with the cost and ROI of any given IG initiative. This will make it possible to make a business case for IG investments that can mitigate key risks without becoming financially prohibitive. This business case should also take into consideration the cost avoidance of possible penalties for failing to comply with the GDPR, NIS or other regulations.
Sarah Walker, VP and global chief counsel at Aon Risk Solutions agrees, commenting: “It is critical to engage the board and members of the executive committee to establish IG as a strategic priority. The programme needs to be well-aligned with the enterprise risk framework to ensure the strategic view and operational remediation (from bottom up) dovetail together to be able to achieve sustainable compliance for the long term.”
2. Understand your obligations: Legal teams, working with trusted advisors, are critical in informing leadership as to which regulations are applicable to the corporation’s specific industry and regions of operations. A wide variety of record keeping, data protection, security and other regulatory obligations for data may apply. Defining obligations should be a holistic effort that involves the risk and compliance team, as they are the ones who may need to face-off with regulators and will benefit the most from efficient processes.
3. Get started: Corporations are no longer asking if they need to tackle IG, but rather working on how to start. A previous Advice from Counsel study, which examined practices within Fortune 1000 legal departments, identified 30 different areas of focus for IG programmes, highlighting this challenge. While data issues can be overwhelming, teams must remember: don’t boil the ocean. Instead, prioritise remediation projects that address the highest risk areas or can provide a quick win to give momentum. One way to achieve this is to break down IG goals into categories:
- Protecting the sensitive information of customers and employees
- Securing sensitive company IP
- Arming against cybersecurity threats
- Developing protocols and systems to ensure secure access to the network by partners and approved third parties.
These categories can help organisations take a large challenge and channel it into initiatives that are more focussed and easier to accomplish.
One example of this done well was at Blue Cross Blue Shield North Carolina (BCBSNC) in the US, which sought to provide greater visibility into corporate data stored on its various networks for investigations, improved security and more efficient data archiving. The team at BCBSNC knew that while this was a huge undertaking, the potential long-term benefits would justify the project. FTI Consulting’s Technology experts were brought in to join the initiative. The project included security scans to identify hidden and secure folders, splitting client data into more manageable datasets and assignment of policies and controls to certain data for regulatory, legal and operational requirements. With these in place, BCBSNC could begin to understand the magnitude and nature of the risks and opportunities inherent in its data.
In any transformational IG programme, it is generally understood that people, process and technology are key ingredients to long-term success. But often, the people part of the equation gets lost in a sea of discussions about headcount and resourcing requirements. IG must be part of the values that are embodied at the executive level. This is what enables transformation and the appropriate actions to drive long-term change. When each employee embodies trust, ethics, security and privacy, these values will translate to the services or products that the company provides.