information management

When a judge hears that documents no longer exist due to a company’s retention schedule, it feels like we’re transported back to grade school, with a sheepish pupil making lame excuses about “disappearing” homework. Courts can seem skeptical, even disdainful, about retention schedules. As the U.S. Supreme Court characterized them in Arthur Andersen LLP v. United States, “’Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business.” The tone is noblesse oblige, as if businesses follow an odd, quaint practice of having retention schedules, which should be grudgingly acknowledged before moving on to the court’s more important consideration of the preservation duty and discovery sanctions.

Ironically, the courts have retention schedules too. Yep, this notion of destroying records pursuant to a retention schedule is not unique to “business” – the trial judge at a spoliation hearing is governed by the court’s own records retention schedule, which classifies records by content type and prescribes records disposition, including destruction.  And the court also has a records management program, with one of its purposes being the appropriate disposition of records when they have served their purposes.

A busy examiner, working on 15-20 other cases, sets a file aside in the “delayed/pending” queue while awaiting information, and a gun is sold and nine people died. A utility transferred responsibility for recordkeeping functions to its distribution business unit, files containing information about pressure and strength tests were not kept current, and an explosion kills eight. Computer files are accidentally deleted from an Airbus plane and three of its four engines shut down, causing a crash that kills four.

What do these seemingly disparate events have in common?

Old-school company intranets are like soooo boring. Why not juice things up? Sure, we’ll keep the one-directional content (employee policies, company announcements, etc.), but let’s add a dynamic platform for employee interactive training modules, capturing employee responses and quiz results. Why stop there – how about a message board for employees, to turn dull company communications into an energized conversation? And in today’s mobile world, shouldn’t we enable remote access from anywhere our employees happen to be, 24/7? What could possibly go wrong?

Well … a whole lot will go wrong, unless the company first applies an information governance perspective. So let’s ask a few questions to explore what information risks and compliance issues are at play.

I met this grumpy fellow in Sabi Sands, South Africa, and took this picture with my phone (nope, no zoom… wish he’d been further away). The experience reminded me of the fable about the Blind Men and the Elephant, a classic allegory for how we often do not perceive the big picture, but instead only the part we directly encounter. This fable has become a useful metaphor for Information Governance. In so many organizations, individual departments and functions have their own, limited perspectives on information, seeing only the issues and objectives with which they are directly familiar. Limited perspective yields limited perception – not a good thing for identifying, understanding, and controlling organizational risk. Information Governance is the means through which organizations can bridge across such silos and perceive the big picture of information compliance, risk, and value.

Actually, I prefer a different version, restyled as the Blind Elephants and the Man.

Once upon a time—back when paper ruled—junk mail was clearly junk.  We easily separated the bills from the ads, and it never crossed our minds to save the ads “just in case.”  Fast forward to today’s digital world, and we find that not only are we doubling the volume of data every two years, we are outpacing our storage and, arguably, our ability to manage it. We’re keeping the “ads” and a whole lot more.

While governing my information (yep, cleaning up old email and files), I came across one of my early white papers on Information Governance, from 2010:  The Information Governance C Change. It can be cringe-inducing to revisit old material, but this piece seems as valid today as five years ago:

“Companies are awash in an ocean of data. E-mail servers are overflowing, troves of legacy data and documents are accumulating, rogue IT is proliferating, and social media and other Web 2.0 usage is seeping into the workplace. These same companies are also experiencing a sea change in their information compliance environment. E-discovery costs and exposures continue to mount, while courts’ expectations are escalating for compliant preservation, collection, and production of ESI. And new laws and regulations are expanding the reach of information privacy and security requirements to a broader range of entities and business operations.

Ineffective wireless encryption

Taped-over door lock on data room

Inadequate passwords

Computers without adequate log-off

Disabled audit logging

Unencrypted email and laptops

Former employees with inappropriate network access

These vulnerabilities and more (a total of 151) were found at seven large hospitals during a round of audits by the Department of Health & Human Services. Although these vivid examples point to hospital systems, HIPAA applies also to many other types of covered entities and business associates including, of course, physician practices. These non-hospital providers are most likely even more vulnerable to such lapses as they are less likely to have dedicated information technology staff, legal departments, and formalized record-keeping practices.

So, your organization has committed to Information Governance, and you’ve been tasked with making it a reality. Now what?

You’ll need a framework on which to build your program, a platform that will help you bridge across siloed functions (IT, InfoSec, Legal/Compliance, Records Management, Internal Audit, Operations…) and siloed perspectives (privacy, data security, records & information management, litigation discovery…). You’ll also need to come to grips with three persistent barriers to operationalizing Information Governance:

Some old problems never seem to go away. Email retention remains an obstinate dilemma for far too many organizations. Volumes continue to mount, with business email totaling 109 billion messages every day, and forecasted growth of 7 percent each year. Email archives and cloud email solutions address the symptom of overburdened servers, but these strategies do nothing to tackle the core problem, which is too much email, kept too long. And the cost of email retention outstrips the cost of email storage, in large part due to e-discovery expense in future litigation.

The cold, hard truth is that the persistent problem of email volume will not be solved with technology alone. What’s needed, and frankly overdue, is a bit more organizational discipline and direction on email retention.