In this series on defining your company’s information security classifications, we’ve already looked at Protected Information under state PII breach notification statutes, and PHI under HIPAA. What’s next? Customer information that must be safeguarded under the Gramm-Leach-Bliley Act (GLBA), a concern for any “financial institution” under GLBA.

GLBA begins with an elegant, concise statement of congressional policy: “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” Sounds straightforward, doesn’t it? Things get complicated, though, for three reasons: (1) the broad scope of what constitutes a “financial institution” subject to GLBA; (2) the byzantine structure of regulators authorized under GLBA to issue rules and security standards and to enforce them; and (3) the amorphous definition of nonpublic customer information.

In this series on establishing security classifications for your company’s information, last week’s post looked at one aspect – the widely varying definitions of Protected Information under state PII breach notification statutes. But if your organization is a covered entity or business associate under the Health Insurance Portability and Accountability Act (HIPAA), the definition of Protected Health information (PHI) is also a key puzzle piece for your classification scheme.

HIPAA establishes national standards for the use and disclosure of PHI, and also for the safeguarding of individuals’ electronic PHI, by covered entities and business associates. Merely having information commonly thought of as “protected health information” does not mean that HIPAA applies. And there are some surprises in which organizations are – and are not – covered by HIPAA. So, that’s the first question to answer – is your company a HIPAA covered entity or business associate?

When governing information, it works well to identify and bundle rules (for legal compliance, risk, and value), identify and bundle information (by content and context), and then attach the rule bundles to the information bundles. Classification is a great means to that end, by both framing the questions and supplying the answers. With a classification scheme, we have an upstream “if-then” (if it’s this kind of information, then it has this classification), followed by a downstream “if-then” (if it’s information with this classification, then we treat it this way). A classification scheme is simply a logical paradigm, and frankly, the simpler, the better. For day-to-day efficiency, once the rules and classifications are set, we automate as much and as broadly as possible, thereby avoiding laborious individual decisions that reinvent the wheel.

Easy so far, right? One of the early challenges is to identify and bundle the rules, which can be complicated. For example, take security rules. Defining what information fits in a protected classification for security controls can be daunting, given the various overlapping legal regimes in the United States for PII, PHI, financial institution customer information, and the like. So, let’s take a look, over several posts, at legal definitions for protected information, starting with PII under state statutes.

I’m here at RabbitHole, Inc., talking with the company’s Manager of Money in his office, which is buried in the Facilities Department, down in the building’s basement. I’m interviewing him to get a better sense of how RabbitHole manages money as a corporate asset.

Pardon my asking, but how much money does RabbitHole have?

“Frankly, no one knows – we don’t really keep track of that. We have boxes of paper currency stored off-site, but as for ‘active’ money, our employees keep that pretty much wherever they choose – in the network money systems, in their individual offices, in mobile wallets, and probably some stashed at home.”

But isn’t that your job? I mean, your title is “Manager of Money,” right? 

2015 was quite a year for Information Governance, and it’s now time for a year-end post.  I’ve neither the prescience nor patience for making predictions, and after briefly flirting with a Star Wars/Holiday mash-up, I remembered that’s been done before, with tragic results. So, all that’s left is a single question, which may be the only question that matters  – over a tumultuous year for privacy, data security, information management, and e-discovery, what did we learn about governing information?

As we anticipate the calorie-bomb of Thanksgiving dinner, let’s face it – litigation preservation is overweight, obese, and corpulent, torpidly dazed in a fat/sugar coma of way too much data. But effective Dec. 1, amended Rule 26 of the Federal Rules of Civil Procedure strikes back, limiting the scope of discovery to what is “proportional.” Will the amended rule tip the scales toward leaner litigation preservation, or is this simply another FRCP fad diet, doomed to fail?

Wow, our group health plan premiums are crushing us. Wait a minute—what if we ramped up our company’s wellness program, using cool technology to help get our workforce in shape? Let’s get all our employees to use those wearable fitness tracker gizmos! We can fold those into our BYOD program, offer a device subsidy, and then have our employees report their stats and progress in some kind of fitness competition, with cool stuff as motivating rewards. Premium costs down, flab down, fitness up, profits up… what could possibly go wrong?

Plenty will go wrong, unless the company takes a breather and checks the pulse of information-related risks and compliance issues. So, let’s run a quick information governance circuit drill.

In the late 1500s, privateer and explorer Martin Frobisher embarked upon a journey that would net him fame—Frobisher Bay is named for him—but not much fortune. His travels took him to what is now Canada, where he claimed Baffin Island for the Crown because of the vast amounts of gold he found there. He was so convinced he had found great riches that he continued to make multiple trips with increasingly more ships to mine and send the ore home for safekeeping. Queen Elizabeth I even ordered quadruple locks in the Tower of London to guard the trove.

Unfortunately for all, however, what Frobisher had so diligently worked to procure, transport, and store was nothing but iron pyrite—fool’s gold. Once it was discovered that his cache was not real gold, an Italian alchemist was engaged to work his magic and transform the worthless rocks into the gold everyone desired. Needless to say, he was unsuccessful.

I was reminded of this story while attending the Information Governance Conference recently in Connecticut.

 will be missed, but his wisdom will endure. Who else could have observed “No one goes there nowadays. It’s too crowded”? The information governance equivalent is “No one has information anymore. There’s too much of it.” In the last decade we have witnessed the systemic utilitization of computing power. Data used to be housed predominantly within a company’s own systems, but now, through remote storage, SaaS, PaaS, and other cloud solutions, more and more information is hosted by third-party providers. Also, as marketplace forces compel organizations to leverage or outsource functions that used to reside internally, operational service providers increasingly create, receive, maintain, and process information on the organization’s behalf.

It follows that information governance (the organization’s approach to satisfying information compliance and controlling information risk while maximizing information value) can no longer simply be an internally-focused exercise. IG “has come to a fork in the road, and must take it.” Service provider selection, contracting, and oversight are now primary vehicles of information governance – because when it comes to governing your organization’s information, “the future ain’t what it used to be.”

Last Friday, when Amazon’s market cap pushed past Walmart’s, the headlines almost wrote themselves – “Internet Retailer Amazon Topples Traditional Retailer Walmart,” or the like. The lead angle? Amazon’s information-based business model had surpassed Walmart’s old-school, bricks and mortar business concept. Just one problem – totally wrong lead, with the totally wrong point.