With the tsunamic rise in information growth in the past few years,[i] managing ever-increasing formats and sourcing has become increasingly difficult. The complexity has resulted in newly defined C-level participants (e.g., data officers, chief information officers, chief technology officers) tasked with putting electronic data in order. Riding a forceful wave of growth, they attempt to control what is defined as their domain, often putting out fires as data growth leads to potential liability in courts of law or through government-agency enforcement.
This leads to the tail wagging the dog, with immediate pressures often undermining long-term strategies to build solid foundations for future information growth, particularly regarding defensible deletion. Sometimes, the decision to “keep it all” is based on an assessment of return on investment that considers the risks worth taking compared to the cost of ensuring compliance through the creation of a long-term information governance (IG) roadmap. More often, the decision (or just indecision) is one of inertia buttressed by a fear of an inability to provide evidence required to defend or advance a cause. In the past two years, some have defended the indecision as a strategic decision to maintain data for marketing or business planning using increasingly sophisticated analytical software.
Privacy Data Breaches – A Primary Driver for Improving Information Governance
Until recently, there has been no real accountability in how an organization maintains, organizes, creates, and/or disposes of its information (i.e., there has been no external focus on its IG framework unless an organization has been hit with prohibitively expensive eDiscovery costs or regulatory fines). So what currently drives a more comprehensive framework for IG?
Data breaches of private information,[ii] as well as hacking of business and trade secrets, have become commonplace. We are not surprised when our bank cards are hacked; we are more likely intrigued by where our information shows up. Corporations have scrambled to determine whose information has been compromised and to notify individuals in time to avoid financial damages. C-level executives have lost their jobs over their company’s mishandling of the breach,[iii] a court’s allowance of a class action by credit card holders against Neiman Marcus,[iv] and the FTC taking action against Wyndham Resorts for failure to protect the data of its customers.[v] The potential for fines imposed by the FTC or state attorney generals based on state data-breach laws, damages in private law suits, or untimely loss of highly placed executives increases the potential costs of a future breach. In addition, as reflected in the Neiman Marcus case, damage to a company’s reputation due to the glaring scrutiny of its inadequate information governance serves to motivate others to remedy inadequate IG frameworks.
Due Diligence – A Duty to Adopt a Refined Focus to Consider State of IG?
An article published in the University of Richmond’s Journal of Law and Technology addressed the issue of whether IG should be a factor addressed during a mergers and acquisitions audit, and by extension, asset purchases, divestitures, and bankruptcy transactions.[vi] Extensive research showed that the issue had not been addressed previously, even though a company’s current technology is an area commonly reviewed for achieving due diligence. The authors of the article argued that the potential liability and future costs related to inadequate IG should be addressed as part of mergers and acquisitions due diligence and that the lack of prior consideration is a reflection of current law’s tendency to lag behind technological development.
The accuracy of this view—that the state of a company’s IG should be assessed as part of a due diligence effort in mergers and acquisitions—has been evidenced since the University of Richmond article’s publication with this past year’s growth of privacy breach insurance. Insurers are increasingly performing their own audits of a company’s IG framework for determining the cost of breach coverage. In fact, rising insurance costs based on weak information governance will likely increase focus on improvements, particularly in areas of retention and classification.
Information Governance – Is It Really Necessary to Address Data Breach Due Diligence?
An important aspect of IG is the defensible disposition of data that is no longer of value to the business or has no legal requirement of maintenance. An estimated 70 percent of information maintained has no ongoing value.[vii]
IG is an example where less is more. With less information, it is easier and faster to retrieve relevant information (in this case, personally identifiable information (PII)), costs less to maintain, and limits liability to those whose information is deleted as soon as it no longer has business value. Notification timelines can be met, and affected people can be accurately identified. Attempting to meet these requirements while maintaining large data pools or warehouses of information that have not been identified, much less classified (the unknown unknown), creates an extremely difficult environment for compliance. For companies that do business with European citizens, the timelines for notifications will decrease, personal data collection will be more strictly controlled in its use and maintenance, and potential sanctions will be significantly increased. Instead of returns of investments, we will more likely assess costs of inaction to more accurately reflect the impact of inadequate IG.
The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.
[i] Moore’s Law was coined by Gordon Moore (co-founder of Intel). In 1963, Moore predicted that computer chip–design technology would exponentially double every 24 months, while the cost of computers would decline by 50 percent during the same period. Moore’s law has been accurate, although the doubling is occurring at 18 month intervals.
[ii] In the United States, “private information” or “personally identifiable information” is defined by state law, unless specifically defined by a federal statute. Types of information usually specified include social security numbers, driver’s license numbers, email accounts with passwords, health insurance, medical records, and biometrics.
[iii] Target’s chief executive, Greg Steinhafel, was forced to resign when 40 million card accounts were breached along with 70 million instances of PII breach. The CFO of the Fortelus hedge fund, Thomas Meston, lost his job when he was duped into allowing the change of security codes by a phone caller late on a Friday afternoon. Most recently, Donna Seymore, CIO for the OPM, was named as a defendant in a class action suit brought by federal employees’ union.
[iv] Remiijas et al. v. Neiman Marcus Group, case 14-3122 (7th Cir. 2015). In December 2014, 350,000 credit card accounts were breached. Plaintiffs allege that Neiman Marcus deliberately delayed its notification of customers to take advantage of the holiday sales. On a motion to dismiss, the court ruled that the breach itself was sufficient to infer damages to Plaintiffs.
[vi] Sherer, James, Taylor Hoffman, and Eugenio Ortiz, “Merger and Acquisition Due Diligence: A Proposed Framework to Incorporate Data Privacy, Information Security, E-Discovery, and Information Governance into Due Diligence Practices,” 21 Rich. J. L. & Tech. 5 (2015). The authors specify that their view of information governance is merely a maturation of the field of records management. Their explanation that the areas of privacy, security, eDiscovery, and records management need to be viewed holistically, rather than in silos, belies the current definition of IG as incorporating all of these areas.
[vii] According to a 2012 Compliance, Governance and Oversight Counsel survey, at any given time: 1 percent of corporate information is on litigation hold; 5 percent is in a records category; and 25 percent has current business value.