2015 was quite a year for Information Governance, and it’s now time for a year-end post.  I’ve neither the prescience nor patience for making predictions, and after briefly flirting with a Star Wars/Holiday mash-up, I remembered that’s been done before, with tragic results. So, all that’s left is a single question, which may be the only question that matters  – over a tumultuous year for privacy, data security, information management, and e-discovery, what did we learn about governing information?

Privacy

This year brought uncertainty for cross-Atlantic data transfers, with the EU Court of Justice’s invalidation of the U.S.-EU Safe Harbor in reaction to the Snowden revelations about U.S. government surveillance practices. Companies scrambled to position themselves for a post-Safe Harbor world, while awaiting results of the Safe Harbor 2.0 negotiations.

2015 also offered a central lesson on privacy practices – namely, that privacy policies actually matter.  Whether it was Nomi failing to give adequate notice of retail customer device tracking, or Spotify catching grief for privacy policy changes, or Ashley Madison promising a “full delete” feature, what a company says in its privacy policy has repercussions. Prudent companies ensure that their privacy policies reflect current reality, keep track of their resulting obligations, and confirm compliance.

Privacy was also a workplace issue, with employers video-surveilling employees and employees surreptitiously recording othersWell-crafted policies should govern all workplace monitoring.

Data Security

After the Anthem, Ashley Madison, and Office of Personnel Management breaches, 2015 finally confirmed for all that the data breach environment is infinitely more varied than the Target retail purchase card scenario. Innumerable bad guys (hacktivist, state-sponsored, criminal syndicate…) have diverse motivations, objectives, and tactics, all constantly evolving, which adds up to a “when not if” world of data breaches.  While old-school vulnerabilities stubbornly persist, like the inadequate device management in Cancer Care, new-school threats continually emerge, as DEF CON annually reminds us.

This year it also began to sink in that, with such a dynamic threat environment, there simply will not be a static regulatory standard for adequate security across all U.S. industries. 2015 found various regulators pursuing their own respective approaches for adequate security. State breach notification laws continue to be a crazy quilt, and a preemptive federal law remains elusive. After a decade of quiet enforcement success, in 2015 the FTC hit a buzz saw of resistance to its data security enforcement authority under FTC Act Section 5. Wyndham took the FTC to the mat, protesting that, without clearly articulated security standards, it would be unfair for the government to pursue companies for “unfair” security practices under Section 5. But Wyndham lost this argument in the Third Circuit and settled with the FTC. Then, in LifeLock, the FTC’s commissioners took the position that even compliance with the Payment Card Industry’s Data Security Standards will not conclusively establish adequate data security.

Where does this leave us? As the Paris terrorist attacks reminded the world, there is no absolute security. Our expectation – and that of regulators and aggrieved individuals – should be reasonable security, evolving with lessons learned:

Information Management

Records & Information Management (RIM) remained under-appreciated, at least until an airplane crashed; or a gas pipeline exploded; or a gun purchase slipped by a bungled background check, with nine people shot dead. 2015 reminded us that consistent dedication to information management is important, no matter how unnewsworthy… precisely to keep things unnewsworthy.

Familiar problems persisted in 2015, such as the eternal battle over accumulating email. And new challenges emerged, principally the problem of vast, uncurated data becoming the Achilles heel of Big Data aspirations. Turns out that “garbage in – garbage out” cannot be overcome, no matter the computing power. What does seem to work is a zero-based approach, in which companies focus on what practicably can be accomplished given current technology and culture, rather than simply buying new technology tools and hoping for the best.

Litigation Preservation

In December the amended Federal Rules of Civil Procedure became effective, featuring greater clarity on spoliation sanctions in Rule 37, and the hardwiring of proportionality into the scope of discovery under Rule 26. The amended rules, properly used, provide new tools to resist overpreservation.

Technology-assisted Review (TAR) became a more established option for processing information in discovery.  But litigants must practice appropriate transparency with the court and adversaries in how TAR will be used. And 2015 reminded us that preservation fundamentals remain important, including the proper scoping of legal holds, and the appropriateness of compliant, defensible destruction before the preservation duty arises.

Bringing it all together in Information Governance

In 2015 it became clearer than ever that every organization, regardless of industry, is in the information business. And though IT budgets remain strained, the fact is that new technology tools aren’t the magic bullet solution to governing information. Maximizing information value, while satisfying information compliance requirements and controlling information risks, requires most fundamentally an Information Governance perspective.

Whether or not your organization establishes a formal control system for Information Governance, the important step is to bust through siloed-thinking habits and consider all aspects of information value, compliance, and risk – privacy, data security, information management, and litigation preservation – whenever information-related decisions are made. We walked through this in some 2015 Byte Back posts, from managing vendor relationships, and adding social media features to company intranets, to adopting wearable fitness trackers in company wellness programs. But regardless of the scenario, the Information Governance perspective is invaluable. If you haven’t already done so, give it a try in 2016 – you’ll be glad you did.