| Kerry Childe | Senior ConsultantCreating your team requires thinking about the kinds of privacy incidents your organization may encounter, and planning around those likelihoods. Each of the “legs” (Privacy, Security, Technology) has a critical function to perform and the loss of any one function will hamper your incident response, and may potentially create more risk than you resolve.
| Nandeep Mehta | Senior Consultant‘A journey of a thousand miles begins with a single step.” Similarly, the journey of your Information Governance initiative must begin somewhere, and oftentimes an assessment of where you are and where you need to be is a good first step.
| Bill Horn | Senior ConsultantAn effective Information Governance steering committee strikes a balance between making decisions on large and cross-functional issues while still allowing individual business units the latitude to execute their individual projects or initiatives.
| Catherine Cook Holmes | Senior ConsultantSuccessful approaches to help stakeholders move their Information Governance programs to the front of the line when it comes to senior management attention, approval, and eventually funding.
| Tom Mighell | COOROI models and cost justifications are nothing new, but the failure rate is still very high - you can probably recall an expensive project or two that failed to meet business objectives. Sometimes, these failures are technical in nature or the result of poor project management, but often the failure occurs from the very beginning, when building the justification.
| Catherine Cook | Senior ConsultantBeyond security, the real challenge for working from home is ensuring that information is stored in a secure repository that can be easily accessed by others. Instead of saving files and other information to C: drives or on home personal computers, companies should aggressively enable file sharing in the cloud.
| Nandeep Mehta | Senior ConsultantBefore figuring out where you need to go on your information governance journey, you first need a comprehensive understanding of your current state and how it came to be. An Information Governance (IG) assessment is typically a good place to start. This will help you determine where you need (or want) to go in the future.
| Greg Forest | CTOA Data Security Classification Standard (DSCS) specifies security controls for identified activities that could potentially affect the confidentiality, integrity, or availability of company documents or data. There is no universally accepted list of activity types; your list of activities may vary widely with those of other companies in your industry.
| Kerry Childe | Senior ConsultantCreating and managing a privacy incident response plan to respond to incidents affecting personal and other confidential information requires significant partnership between legal and information security. No matter what kind of incident response plan your organization creates and maintains, it is critical to review the plan periodically with the entire organization, and test the plan regularly with involved employees.
| Nandeep Mehta | Senior ConsultantThe first and perhaps hardest part of launching an Information Governance initiative is to build support among all relevant stakeholders. How do you get them onboard? The key is to properly message that win for each of them.
| Tom Mighell | Vice President DeliveryIn litigation, the timeframe covered by a discovery request can have a significant impact on your response. An Information Governance program can help place documents and data into systems and repositories that enable counsel and custodians to effectively and efficiently apply, track, and release a legal hold.
| Nandeep Mehta | Senior ConsultantDeveloping a steering committee will be the driving force to overall planning, implementation, and execution of your information governance program. To best prepare, here is what typically gets delegated and what key questions you should be asking during the steering committee.
| Greg Forest, CTO | Chief Technology OfficerMuch of the information a company creates, receives, transmits, and stores contains sensitive information, which often has specific management requirements. Here's why companies are incorporating management of sensitive information as part of their overall IG strategy.
| Kerry Childe, Esq. | Senior ConsultantIn order to determine how to secure your information and protect it from misuse, an important first step is to understand what you have and where it lives.
| Tom Mighell, Esq. | VP, Delivery ServicesA Discovery Response Process (DRP) guides corporate counsel, IT and other litigation stakeholders in the planning and execution of each stage of the eDiscovery process. Here's why you should consider one as part of your IG roadmap.
| Carlos Leon | In part 1 of this series we discussed how you can put together an informal Information Governance Program ROI. Sometimes, however, informal ROI just isn’t enough to justify creating a program, and leadership wants something more tangible. So how do you develop a formal ROI?
| Mark Diamond | President & CEOHaving an efficient IG program can multiply savings significantly for organizations when it comes to litigation readiness. The potential eDiscovery cost savings can provide powerful motivation for an information governance initiative, especially in litigation-intensive environments.
| Nandeep Mehta | Senior ConsultantAn effective Information Governance initiative can be a big win for an organization, but but getting started can be tricky, as many of these types of initiatives veer off the road and get stuck in the mud.
| Bill Horn | Principal ConsultantWhat you can do to help make Information Governance at your company less of a hot potato, and more of a nice warm plate of fries in which everyone can partake.
| Nandeep Mehta | Senior ConsultantFollowing our post last week, we wanted to expand a bit and discuss the wide variety of frameworks and standards organizations use to gauge Information Governance program maturity.
| Greg Forest | Chief Technology OfficerIn previous posts, we’ve defined Data Security Classification Standards (DSCS) and discussed examples of potential data security frameworks your organization can follow. In this post, we delve deeper into how you can use a security framework as the starting point for your DSCS.
| Carlos Leon | Informal ROI presents the costs and potential savings for one or several aspects of an IG program, but does not attempt, however, to fully quantify all of the costs, risks, and savings an IG program might provide...
| Kerry Childe, Esq. | Senior ConsultantA Personal Data Inventory is essentially an interview-based process, which relies first on collecting information from the business users who collect and use personal information; it’s their processes that result in the collection of that information...
| Tom Mighell, Esq. | VP, Delivery ServicesBe sure that your processes are up-to-date and that your employees are trained in what they should and should not be doing in case of a legal hold. Failure to do so could lead you down a rabbit hole of fines, sanctions, and worse.
| Catherine Cook-Holmes | Principal ConsultantEmployees are drowning in information, and interviews often reveal that employees experience significant “latent” pain when it comes to managing their information. You can use this pain to further demonstrate the benefits of an IG program...
| Nandeep Mehta | Senior ConsultantDifferent organizations in different industries necessarily have different desired levels of Information Governance program maturity. Organizations should consciously target the appropriate level of maturity that fits their needs, obligations, and risk tolerance...
| Mark Diamond | President & CEOAllowing outside vendors to “drive” the eDiscovery process without proper oversight can result in high costs from outside counsel. Many companies have learned the hard way that they should still supervise and, in some cases manage and control all phases of the eDiscovery process in order to control costs as well as risk.
| Bill Horn | Principal ConsultantI work with clients of all sizes in several industries. The newer companies in general and tech companies in particular have always been paperless. Some of you might assume that statement is hyperbole, but I can assure you…not a single filing cabinet in sight.
| Nandeep Mehta | Senior ConsultantWhen faced with information governance challenges, often the first question asked by in-house counsel is: why me? In-house counsel question if and when they should be involved, and wonder if it is better, for example, to let IT own Information Governance. At a time when many legal department budgets are being scrutinized, is it fair to ask if in-house counsel needs to be the one to lead the information governance dance?
| Greg Forest | Chief Technology OfficerDoes your organization current follow an information security framework? Organizations should comply with any industry-specific mandatory security frameworks, although many of these frameworks offer guidelines more than specific requirements...
| Carlos Leon | Many corporate decisions are driven by a program’s financial impact, and senior leaders tend to prioritize decisions in this way. This is why using a Return on Investment (ROI) model to show the benefits of an IG Program can help you show leaders why they should invest time and money to address associated costs and risks.
| WIlliam Horn, PhD | Principal ConsultantWhen organizations start to develop an Information Governance program, often the first question that arises is: who should own it? Once developed, which department or group should be responsible for day-to-day management? Equally important, who should fund it?
| Catherine Cook-Holmes | Principal ConsultantGaining financial and moral support from senior leadership for information governance initiatives is key to a program’s success. Therefore, often the first activity of a newly formed IG committee is to develop a business case for senior management.
| Kerry Childe, Esq. | Senior ConsultantMany companies operate their records management and privacy programs as completely separate functions. Taking a closer look, however, reveals that privacy and records management both require information management capabilities that are often duplicative or at least complementary...
| Nandeep Mehta | Senior ConsultantOften the most difficult part of an Information Governance program is simply getting started. Even with key stakeholders involved and senior leadership support, information governance steering committees wrestle with a number of questions...
| Mark Diamond | President & CEOGood litigation readiness is less about good firefighting, and more about good fire prevention. Instead of fighting the fires, find a proactive way to consistently manage discovery requests in litigation and regulatory matters.
| Greg Forest | Chief Technology OfficerDoes your company have a Data Security Classification Standard (DSCS)? A DSCS defines levels of security classification for records and information, and information handling controls for the repositories (systems and media) that contain them. Read more about this important piece of an Information Governance program.
| Kerry Childe, Esq. | Senior ConsultantThere are many similarities between the Colorado Privacy Act and those passed in California and Virginia. The biggest difference, though, is that the CPA does not apply solely to for-profit companies...
| Carlos Leon | In Part 1 of our discussion on auto-classification and information governance, we discussed the different ways auto-classification tools can be used to classify information. Today we ask the question: how well do they really work?
| Bill Horn, PhD | Principal ConsultantWe find that business need often exceeds regulatory requirements, and ignoring the business requirements for regulated records will only lead to users engaging in “underground archiving." With the importance of business need in mind, let’s consider the implementation of the Records Retention Schedule.
| Nandeep Mehta | Senior ConsultantIs your company using the Microsoft 365 suite of tools? If so, you may not be aware that comes with a lot of useful extras, some of which can help with your information governance activities. One of these tools is called Power Apps.
| Kerry Childe, Esq. | Senior ConsultantSeveral states passed amendments to their security breach notification laws in the 2021 legislative season. Here’s a quick description of those amendments.
| Tom Mighell, Esq. | VP, Delivery ServicesThe terms “information governance” and “data governance” have become interchangeable when discussing how to manage an organization’s records and information. While they are related, they are distinctly different ideas.
| Kerry Childe, Esq. | Senior ConsultantPrivacy and information security are like peanut butter and chocolate – they each do great things on their own, and together, make magic.
| Bill Horn, PhD | Principal ConsultantAn attorney for one organization actually requested a retention schedule with less than 10 categories of records so he could paste it into the body of an email, thereby making it impossible not to follow. How successful do you think that approach would be?
| Carlos Leon | Getting employees to go through and manually classify information is hard, or impossible – they all have day jobs, in addition to any records management responsibilities. As a result, many organizations are starting to look at other approaches to classifying information.
| Kerry Childe, Esq | Senior ConsultantThe new Virginia Consumer Data Protection Act (VCDPA), signed into law by Governor Northam on March 2, 2021, looks similar to the California Consumer Privacy Act/Consumer Privacy Rights Act. But it’s interesting to note that even where it differs, we can find echoes of those differences in other laws, whether state, federal, or international.