Information governance oversight: Questions for board members to ask

0
842

Jason R. Baron – Of Counsel at Drinker, Biddle & Reath LLP and Co-chair of the Information Governance Initiative

 

 

 

What keeps you up at night? Increasingly, the answer for board members and CEOs is the risk of a cyber breach. A variation on an online meme that has gone viral more than adequately sums up this concern: “There are only two kinds of companies: those that have been hacked and those that will be.”

Accordingly, in the governance space we have recently seen emerge a variety of calls for boards of directors to be asking questions of their CEOs, CISOs and CIOs  about how companies are preparing for breaches and how they will deal with their aftermath through agreed protocols.

But while factoring in cyber risk is an increasingly real part of the corporate world, arguably there is an even more fundamental material weakness across the enterprise that boards of directors should be addressing: the company’s lack of a clear information governance strategy or framework for decision-making.

Information governance (IG) has been defined as “the activities and technologies that organisations employ to maximise the value of their information while minimising risks and costs”.[1] Of course, a part of the overall risk posed by data is the possibility of cyber breach. But there is much more to information governance than simply addressing one’s security concerns. At bottom, there are the questions of why and how data has been left to accumulate in the first place and what policies are in place to manage and control its continued growth.

Indeed, there are a host of overlapping issues surrounding not only security and preservation of data but also touching on data sensitivities and privacy, access to data in litigation and investigations, regulatory compliance and, increasingly, performing analytics for the purpose of monetising corporate data assets. Various facets of IG are displayed in the ‘pinwheel’ (see below). Board focus on cyber breach issues alone is a start, but, high-level attention should be paid to a much broader range of technical and policy issues touching on all aspects of the overall corporate data environment.Who is performing the IG function inside the company?

In its 2016 Annual Report, the Information Governance Initiative (IGI) – a think tank and vendor neutral consortium formed in 2014 – found a serious leadership gap in IG.  The survey revealed that a surprisingly low number of organisations (only some 37 per cent) have an IG steering committee or similar cross-functional group in place to deal with information-related issues. However, regardless of whether such a committee exists, 67 per cent of survey responders agreed that information governance should be delegated to a single senior executive with information governance in his or her title.

Consistent with its survey results, the IGI has championed the idea of creating the position of Chief Information Governance Officer (CIGO) within corporations, where that individual is charged with owning and coordinating the solutions to complex and overlapping information challenges. In many cases, no one ‘owns’ specific information problems as they arise – certainly not in the same way as a CISO owns information security. So too, in most organisations a vast amount of data accumulates but is inaccessible or unknown to senior management. The three primary gaps within the corporate space that a CIGO (or similarly titled individual) would fill include: (i) information-focussed leadership; (ii) organisation-wide information coordination; and (iii) being a balancer of information value and risk.

In demonstration of an emerging trend towards corporate adoption of the idea of a designated IG individual, in the past two years more than 140 IG executives and leaders (with IG in their business card titles) have participated in CIGO summits held in Chicago, where they contributed to building out what has become a playbook on what it takes to be an IG leader and what constitutes IG success.[2]

Accordingly, board members should be asking their CEO at the outset of any conversation about corporate IG practice:

  • Has our company put into place an IG Steering Committee, comprised of senior officials from the C-suite (or their delegates), to perform a coordinating function for the formulation of policies and practices across the many various facets of IG? And, if not, why not?
  • Does our company have a designated official, either with the title of Chief Information Governance Officer, or something similar, who performs either an executive secretariat function for IG issues, and/or takes a leadership role for the IG Steering Committee if there is one? And if not, why not?

These questions will necessarily shed light on the present state of attention C-suite members are paying to IG best practices, as well as the maturity of the IG programme itself. Where a company has a maturing IG programme with a designated ‘go to’ individual responsible for facets of IG, and where a cross-functional IG steering committee of some sort exists, board members and their CEO have a known place to start any inquiries they have. Board members should, of course, feel free to jump-start a conversation about IG, irrespective of parallel lines of inquiry on the subject of cyber breach.

“In the governance space we have recently seen emerge a variety of calls for boards of directors to be asking questions of their CEOs, CISOs and CIOs about how companies are preparing for breaches Drilling down on a IG practices through agreed protocols”

One important caveat that must be emphasised is that the call for a designation of a CIGO or equivalent IG senior-level position is not intended in any way to limit the ability of board members (or the CEO) to obtain feedback from any and all senior management officials of their choice, regarding specific problems or challenges that have arisen with respect to corporate data, information or records. To the contrary, a CIGO may act as an appropriate conduit for facilitating board questioning of individuals with specific subject matter expertise.

Drilling-down on IG practices

The process for getting a better handle on both the risk and the value of a company’s information assets starts with the same kind of questions as are asked with respect to cyber risk, but then diverge and expand into other areas. In general, board members would be well-advised to understand their company’s current information landscape. What constitute the company’s information assets, and which are the most valuable? Which consist of intellectual property? Which are informational assets relating to a customer or consumer base? Where does the data reside physically (controlled by an in-house IT staff or in a third-party data centre, including in the Cloud? And how much data does the company hold?

“Corporate governance performed properly, results in the protection of shareholder assets”

These questions collectively fall under the concept of establishing a data map or engaging in asset classification – a valuable exercise not only for informing what needs to go into a cyber incident response protocol, but also simply to become more informed on information risk and information value for any would-be IG project.

Additional questions a board might ask are: How much of the company’s data is in a legacy format (e.g. on back-up tapes, or on older versions of software), and is there a plan for disposition of the data? Are the company’s electronic record holdings accounted for in existing records schedules governing short- or long-term retention and, if not, what is the plan for updating schedules to incorporate this data? Do existing record-related policies need updating, including with new provisions to account for bring your own device (BYOD) practices, or other forms of shadow IT?[3] Does the company employ state-of-the-art search techniques when required to find electronically stored information in response to litigation or compliance audits? How are existing policies aligned with in-country and global privacy practices, including under the EU Privacy Shield? How is the company protecting personally identifiable information in consumer and employee data, and what are the company’s policies with respect to monetising consumer data, including in interactions with third-party data brokers?  And how does the company purport to measure ROI for its IG projects and activities?

The above questions are by no means intended to be comprehensive – they represent only suitable entry points to a more robust conversation among the board and senior officials. But drilling down in asking a CIGO or other agency senior official these types of questions quickly establishes the extent to which the company ‘knows what it knows’ (or whether it doesn’t have a clue). Establishing a baseline as to senior officials’ IG strategies is simply a form of IG due diligence, as well as proper management of risk.

Do one or more board members need some kind of IG certification or have special expertise?

Especially with the advent of Sarbanes-Oxley (SOX) legislation in the US, it has become increasingly apparent that boards of directors directly benefit from one or more individuals having a special expertise in understanding financial statements. For covered entities, SOX expressly requires that an audit committee be set up on boards of directors, and that the committee “be directly responsible for the appointment, compensation and oversight of the work of any registered public accounting firm employed by [the] issuer.”[4] This, in turn, has led to the appointment of one or more board directors with expertise in auditing and financial affairs.

More recently, it has been suggested in some quarters that boards should set up a cyber risk subcommittee, charged with the responsibility of making recommendations to the full board on ways to mitigate cyber risk. Following in the footsteps of this model, boards could elect to have a standing information governance subcommittee, which may or may not decide that cyber risk is within scope.

As the discipline of information governance is so new, it would be unusual for a board member to currently hold some kind of certification in IG, as offered by such groups as ARMA International (through its IG Practitioner certificate) or others. This is not nearly as important as having a sufficient interest in pursuing issues at the intersection of information technology, law, recordkeeping, privacy, security and big data analytics.

Regardless of the chosen structure, boards should consider engaging in requesting periodic updates from senior staff with regard to the maturity of the company’s IG profile, including the latest relevant IG metrics. The accelerating pace of change in technology demands vigilant, continuing attention. Board members should fairly demand that a CIGO or equivalent officer of IG steering committee have a well-established escalation process, which encourages business executives to bring forth newly emerging information risk issues across all relevant policy areas.

Conclusion

In a 2014 speech about cybersecurity, the former Commissioner for the US Securities and Exchange Commission, Luis Aguilar, opined that: “Corporate governance performed properly, results in the protection of shareholder assets. Fortunately, many boards take on this difficult and challenging role and perform it well. They do so by, among other things, being active, informed, independent, involved, and focussed on the interests of shareholders… Good boards also recognise the need to adapt to new circumstances.”[5]

These words are also true for implementing and maturing an information governance framework. Changing corporate behaviour is never easy, and it is especially a challenge when it comes to implementing cross-cutting IG projects or programmes. Senior executive champions are necessary, but perhaps not sufficient, in all instances to be the drivers of corporate change. The more awareness boards have of a company’s strategic plan for governing its information assets, the greater the chance that boards will play a significant role in overseeing the implementation of best practices in the IG space.

 

About the Author:

Jason R. Baron is Of Counsel in the Information Governance and eDiscovery Group at Drinker Biddle & Reath, LLP, and serves as Co-Chair of The Information Governance Initiative. Jason is an author of scholarly research on the law of information retrieval, and is a frequent keynote speaker in international forums on the subject of the e-discovery and e-recordkeeping.

In 2011 he was honored as the recipient of the international Emmett Leahy Award, for career contributions in records and information management.

Footnotes:

1See Information Governance Initiative  Annual Report 2015-2016, http://iginitiative.com.

2See IGI CIGO Playbook 1.0, https://cigoplaybook.org/why-the-cigo-is-needed/

3See J.R.Baron & A.R. Marcos, “Beyond BYOD: What Lies in the Shadows?” (Ethical Boardroom August 2015), https://ethicalboardroom.com/technology/beyond-byod-what-lies-in-the-shadows/.

4See Sarbanes-Oxley Act of 2002, § 301, codified at 1

5See U.S.C. § 78j-1(m)(2).