Information Governance Essentials

You have too much data. The financial, operational, and reputational risks of that problem manifest themselves in data breaches and cybersecurity attacks every day.

IoT, mobile devices, Slack, Microsoft Teams, email threads, CRM data from growing inside sales and marketing teams...the volume of data being created is exploding. And that's all before sifting through it in the event of an investigation or litigation event. A proactive Information Governance Policy will help you defensibly reduce the data you're holding without inhibiting business operations.

I'm a business leader. Why should I care about Information Governance policies?

Thoughtful IG policies drive favorable business outcomes. Right now, there is more economic uncertainty than there has been in 90 years. Many organizations are understandably apprehensive about investing in new programs and initiatives.

But the costs are outweighed by the benefits when considering:

1. Limit the costs associated with data storage. Many eDiscovery vendors charge monthly or yearly data hosting fees that are determined by the amount of data being stored (e.g., $/month/gigabyte). For those organizations who choose to keep their data-hosting in-house, an effective IG plan limits the costs associated with procuring and maintaining both the necessary infrastructure used to store the data, as well as the people who are hired to keep that infrastructure secure and functional.
2. Mitigate the risk and costs associated with potential data breaches. Whether data storage is outsourced or kept in house, the sheer volume of “Big Data” means that keeping everything your organization creates is simply not a good plan – it’s costly and carries significant security and compliance risks.
3. Lower litigation costs. Discovery is often the most expensive and time-consuming part of litigation. A defensible policy that reduces stored data, then, by definition reduces the data attorneys have to sift through - and can increase quality at the same time. Plus, there are always the costs and risks of court-ordered sanctions that can result from data spoliation – whether intentional or unintentional
4. Collaboration between legal, IT, and business units can drive operational efficiency. Improve work processes, measure the success of programs and initiatives, impart and share agency knowledge, and document agency courses of action.
   

Okay, I care. So... what is Information Governance?

The term can induce confusion and frustration among business leaders, legal departments, and IT teams. Research and advisory firm Gartner defines Information Governance as:

“[T]he specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

Robert Smallwood of InfoGov World Media has condensed this concept into: “Security, control, and optimization of information.”

At its core, Information Governance is the process of managing all of your organization’s information – especially electronically stored information (ESI) – from the time it’s created until the time it’s disposed of/destroyed. Think of it as getting your electronic house in order both to mitigate overall business risk and to curtail potential eDiscovery-related expenses during a regulatory investigation or litigation event. 

Attorneys Patrick Fraoli, Jr. and Harrison Finch break down the fundamental structure of an Information Governance program into the following five components:

1. Identify what information assets you have, and assess your business risk for using them
2. Protect the information with reasonable care
3. Detect any potential compromise
4. Restore your systems and processes to operational status, and
5. Recover, mitigating any harm, and go forward profitably

What does Information Governance have to do with eDiscovery?

Information Governance is the foundation that defines what data will ultimately be available to be identified, preserved, collected, reviewed, produced, etc. during the eDiscovery process. The policy determines the lifecycle of an organization’s data and establishes what data is necessary to keep vs. what data is irrelevant and/or superfluous. 

An effective policy is crucial to an organization’s ability to respond to an eDiscovery request accurately, reliably, quickly - and cost effectively.

To show how rapidly evolving this area is, Information Governance didn’t appear on the initial version of the EDRM diagram (2005). In fact, it wasn’t officially dubbed “Information Governance” until the 2014 version (although the stages listed as “Records Retention,” “Records Management,” and “Information Management” served similar functions in various pre-2014 versions). Now, not only is IG a distinct stage of the EDRM, it has its very own reference model – the Information Governance Reference Model (IGRM) (edrm.net).

Does my type of business even need an Information Governance policy?

Recent estimates show that as many as 40% of organizations don’t have a formal IG plan in place, and as many as 50% of them don’t have anyone in a dedicated Information Governance leadership position.

Yikes.

Entities in heavily regulated and/or litigious industries should double down on creating and enforcing IG policies, including those in:

1. Financial and lending institutions
2. Pharmaceutical manufacturers
3. Medical device manufacturers
4. Insurance
5. Construction 
6. Energy
7. Telecommunications
8. Utilities

In this digital age, many entities are increasingly involved with creating, retaining, and distributing vast amounts of information. Maintaining confident control over your primary asset - data - is paramount to your business' integrity.

Many businesses and government agencies have yet to digitize virtual mountains of paper files and have little idea what valuable information is contained therein. Maintaining these data blind spots, often called “dark data,” can be costly on several levels including an inability to holistically analyze, leverage, and monetize an organization’s information as well as the associated legal and compliance risks.

Who needs to be involved?

Particularly In the private sector, many businesses hand over their Information Governance leadership duties to a Chief Information Officer (CIO), Chief Information Governance Officer (CIGO), Chief Privacy Officer (CPO), or Chief Information Security Officer (CISO).  But Information Governance takes a village. The Information Governance Reference Model (IGRM) identifies three primary classes of stakeholders who need to work collaboratively for an Information Governance policy to be properly implemented:

1. Business Leaders who primarily create, and need, information to operate the organization
2. Legal, risk, and regulatory departments who understand the organization’s duty to preserve information beyond its immediate business value
3. IT departments who must implement the mechanics of information management

Many organizations partner with an experienced eDiscovery provider to help with the creation implementation of an Information Governance plan.

Regardless of which stakeholders ultimately participate, remember that Information Governance must be a total group effort with organization-wide buy-in and understanding. This is not a "set-it-and-forget-it" exercise: it's foundational to driving desirable business outcomes while minimizing long-term legal and IT costs.