2015 was quite a year for Information Governance, and it’s now time for a year-end post. I’ve neither the prescience nor patience for making predictions, and after briefly flirting with a Star Wars/Holiday mash-up, I remembered that’s been done before, with tragic results. So, all that’s left is a single question, which may be the only question that matters – over a tumultuous year for privacy, data security, information management, and e-discovery, what did we learn about governing information?
This year brought uncertainty for cross-Atlantic data transfers, with the EU Court of Justice’s invalidation of the U.S.-EU Safe Harbor in reaction to the Snowden revelations about U.S. government surveillance practices. Companies scrambled to position themselves for a post-Safe Harbor world, while awaiting results of the Safe Harbor 2.0 negotiations.
After the Anthem, Ashley Madison, and Office of Personnel Management breaches, 2015 finally confirmed for all that the data breach environment is infinitely more varied than the Target retail purchase card scenario. Innumerable bad guys (hacktivist, state-sponsored, criminal syndicate…) have diverse motivations, objectives, and tactics, all constantly evolving, which adds up to a “when not if” world of data breaches. While old-school vulnerabilities stubbornly persist, like the inadequate device management in Cancer Care, new-school threats continually emerge, as DEF CON annually reminds us.
This year it also began to sink in that, with such a dynamic threat environment, there simply will not be a static regulatory standard for adequate security across all U.S. industries. 2015 found various regulators pursuing their own respective approaches for adequate security. State breach notification laws continue to be a crazy quilt, and a preemptive federal law remains elusive. After a decade of quiet enforcement success, in 2015 the FTC hit a buzz saw of resistance to its data security enforcement authority under FTC Act Section 5. Wyndham took the FTC to the mat, protesting that, without clearly articulated security standards, it would be unfair for the government to pursue companies for “unfair” security practices under Section 5. But Wyndham lost this argument in the Third Circuit and settled with the FTC. Then, in LifeLock, the FTC’s commissioners took the position that even compliance with the Payment Card Industry’s Data Security Standards will not conclusively establish adequate data security.
Where does this leave us? As the Paris terrorist attacks reminded the world, there is no absolute security. Our expectation – and that of regulators and aggrieved individuals – should be reasonable security, evolving with lessons learned:
- Not all data is created equal – for example, health data, social security numbers, and sensitive personal information may be more tempting targets than purchase card data with its short shelf life.
- Encryption sounds nice, but remember to safeguard the encryption keys.
- Because information flows in and out of organizations with cloud hosts, service providers, and customers, contractual safeguards are just as crucial as system security.
- Security is a continual process, not a project to be completed, and so ongoing board-level engagement is essential.
- Breaches are expensive – while the jury’s still out on reputational damage, the hard costs of data breaches can be huge, with Target’s approaching half a billion dollars. And on the litigation front, standing requirements for consumer lawsuits are loosening after the Seventh Circuit’s Neiman Marcus ruling, and the settlement value of consumer damage claims is on the rise.
- Though a valuable risk management tool, cyber insurance has its own dangers, only now emerging, such as surprises in coverage scope and the vulnerability of insureds that overstate safeguards in their applications.
- Breach response has way too many moving parts to be figured out on the fly, and so breach response readiness is crucial to coordinate security, legal, forensic, law enforcement, regulatory, insurance, stakeholder relations, crisis communications, breach notifications, and personnel management activities.
Records & Information Management (RIM) remained under-appreciated, at least until an airplane crashed; or a gas pipeline exploded; or a gun purchase slipped by a bungled background check, with nine people shot dead. 2015 reminded us that consistent dedication to information management is important, no matter how unnewsworthy… precisely to keep things unnewsworthy.
Familiar problems persisted in 2015, such as the eternal battle over accumulating email. And new challenges emerged, principally the problem of vast, uncurated data becoming the Achilles heel of Big Data aspirations. Turns out that “garbage in – garbage out” cannot be overcome, no matter the computing power. What does seem to work is a zero-based approach, in which companies focus on what practicably can be accomplished given current technology and culture, rather than simply buying new technology tools and hoping for the best.
In December the amended Federal Rules of Civil Procedure became effective, featuring greater clarity on spoliation sanctions in Rule 37, and the hardwiring of proportionality into the scope of discovery under Rule 26. The amended rules, properly used, provide new tools to resist overpreservation.
Technology-assisted Review (TAR) became a more established option for processing information in discovery. But litigants must practice appropriate transparency with the court and adversaries in how TAR will be used. And 2015 reminded us that preservation fundamentals remain important, including the proper scoping of legal holds, and the appropriateness of compliant, defensible destruction before the preservation duty arises.
Bringing it all together in Information Governance
In 2015 it became clearer than ever that every organization, regardless of industry, is in the information business. And though IT budgets remain strained, the fact is that new technology tools aren’t the magic bullet solution to governing information. Maximizing information value, while satisfying information compliance requirements and controlling information risks, requires most fundamentally an Information Governance perspective.
Whether or not your organization establishes a formal control system for Information Governance, the important step is to bust through siloed-thinking habits and consider all aspects of information value, compliance, and risk – privacy, data security, information management, and litigation preservation – whenever information-related decisions are made. We walked through this in some 2015 Byte Back posts, from managing vendor relationships, and adding social media features to company intranets, to adopting wearable fitness trackers in company wellness programs. But regardless of the scenario, the Information Governance perspective is invaluable. If you haven’t already done so, give it a try in 2016 – you’ll be glad you did.