Choose Your Own Adventure: Mastering Information Governance in the Workplace

Monday, August 24, 2015 by Eric Robinson


Choice A or Choice B? Choice C or Choice D? There’s nothing quite like the mystery and thrill of the Choose Your Own Adventure (CYOA) novel, where the reader gets to direct and navigate the story of their choice.

Similarly, when it comes to Information Governance (IG) programs, corporate counsel and the IG team get to create their own old school CYOA storyline by defining the processes and implementation of the multi-disciplinary structures, policies and programs necessary to control and organize data. Kroll Ontrack’s Tom Barce recently wrote an article, Information Governance: Be Prepared for a Data Disaster, discussing the importance of IG programs and what corporations should be aware of in regards to what an IG program can do.

To showcase the advantages of IG programs, let’s consider the following scenario for Health Nuts (HN), a large (fictional) multi-national company in the nutritional supplements industry:

The company has hundreds of employees and millions of records containing private and personal data. Over the past decade, the company has grown rapidly through acquisition. HN recently expanded into Brazil, however, very little has been done to integrate the various data management policies and procedures from the newly acquired companies. Some divisions of HN are highly technical, with employees leveraging modern communication devices and forums, as well as using personal devices for work communications.

Do you:

Choice A: continue as is and allow various data management policies to continue


Choice B: re-evaluate the complexities and dangers of rapid growth and insufficient data policies and consider incorporating an IG program

For inside counsel and IG teams, the above hypothetical should raise blaring issues of security, management and data protection. Unfortunately, with corporations now fully entrenched in the digital age, counsel are playing a catch-up game with how fast data is created and where the data goes, and many do not recognize the need for a robust IG program. When utilized properly, IG programs can control a corporation’s data and maximize its value, but only if the information at hand is under control. So what happens if the information is not under control and a corporation chooses Choice A? Let’s return to aforementioned Heath Nuts Corporation:

The nature of the organization’s data management and decentralized IT systems left it ripe for attack. Three months ago, the company suffered a data breach and is still trying to determine the scope of the attack across its divisions. Due to this, customers have experienced identity theft and fraud. Compounded with the fact that state and federal agencies are investigating the nature of the breach, a lawsuit is clearly imminent.

Do you:

Choice C: Await litigation


Choice D: Go back to the initial set-up and implement an IG program

For Health Nuts and for most corporations, the above situation is not too far from the norm if corporations choose Choice A over Choice B. Fortunately, steps can be taken to mitigate this hair-raising data disaster by choosing Choice D and following these initial steps:

Be Aware of Your Data and Know How to Leverage People, Processes and Technology

Before making any decisions about a company’s data, counsel needs to understand what, and where, data is stored and what the current policies regarding data retention and destruction are. Counsel needs to be especially concerned with the nature, location, security and maintenance of personally identifiable information (PII) as well as “dark data,” or data that is created, processed, and stored in the regular course of business and is not currently in use. Once a corporation’s data is located and secured, the next step would be to leverage current employees in the IT and Information Security departments to ensure the appropriate emphasis is placed on training them and the organization-at-large about the policies and definitions of the IG program. In addition, data categorization, auto-classification, and predictive coding solutions may be utilized as part of your IG strategy to reduce costs while organizing data for future use. Furthermore, counsel must consider data that has been placed on legal hold and held in a legal hold repository. This data and the associated obligations are the burdensome, but necessary, exceptions to effective IG that can lead so many corporations to complacency.

De-Cluttering Company Data…

The success of IG programs depends on a number of factors, including the increased business utility of the data under management, storage savings, impact on ediscovery and company productivity. In today’s modern age, data tends to accumulate exponentially. To prevent the hoarding of extraneous data, corporations must learn to dispose of unnecessary information and learn to sift through the types of data that will have a great effect on protecting company, employee and consumer data while streamlining ediscovery responses by eliminating irrelevant documents. In addition, de-cluttering company data can increase the value and efficiency of an IG program, thus allowing for more effective analytics.

...But Keeping the Necessary Documentation

Through the process of streamlining the IG program, organizations must ensure that they effectively document their processes. This includes clarifying IG program goals, definitions, policies and procedures, as well as employee training, enforcement actions, audit practices and program evaluations. Corporations should document these processes in anticipation of dealing with legal or regulatory actions, as well as help in the overall evaluation of the IG program. Successful documentation can lead to increased visibility and better opportunities for corporations to address and fix problems.

If corporations wish to avoid a data disaster, the choice is clear. By utilizing an effective IG program to locate, secure, and document their information retention and destruction processes, corporations may avoid or, at a minimum, mitigate the risks and damages that result from data breaches and/or regulatory and litigation events. For more information, check out Information Governance: Be Prepared for a Data Disaster today!