BETA
This is a BETA experience. You may opt-out by clicking here
Edit Story

Is Your Organization's Data Management Plan A Ticking Time Bomb Of Risk?

Symantec

By Natasha Ratliff, Writer and Senior Account Executive, Technology, Edelman

Public and private sector organizations have accumulated stockpiles of electronic information for decades. The types of information they hoard span a wide spectrum of content including everything from sensitive national security files and important intellectual property on one side, to completely useless data on the other. The reality for most organizations is that they never had a solid plan for managing data growth because the risks and costs were not immediately foreseeable – or they were simply ignored as the problem festered and grew over time. Like it or not, now organizations across the globe are paying the price.

Today we live in an era where new data breaches and big law suits are reported weekly. These breaches appear to be increasing in both frequency and severity, wreaking havoc not only on the company’s bottom line, but on the employees and customers whose data has been compromised. Credit monitoring requirements, falling stock prices, and government investigations all contribute to the pain of a serious data breach. Disappointingly, poor data management is often the culprit, but if data had been managed properly, the problem often could have been avoided or at least minimized.

What is the Answer?

Many believe “information governance” is the key to reducing their organization’s ticking time bomb of information risk and cost, but the term often means different things to different people. The lack of clarity often stifles progress for many organizations and leaves them feeling helpless and reluctant to take meaningful steps. That is exactly why we sought out Symantec Information Governance attorney and expert, Matthew Nelson, to answer some questions about the fundamental components and objectives of a good Information Governance program.

Q: Thanks for speaking with us Mr. Nelson. For starters, it probably makes sense to ask the obvious question which is -- what is information governance?

Nelson: Information governance means a lot of different things to different people so you’re likely to end up with different answers depending on who you ask. In fact, the American Records Management Association (ARMA), Gartner, The Sedona Conference, and a group called the Information Governance Initiative have all offered slightly different definitions of information governance that can get confusing. But to me, IG is simply about organizations implementing a plan that includes the right people, process and technology in order to maximize the value of the organization’s information assets while minimizing the risk and cost of not managing information properly.

Q: Isn’t IG just another marketing term like “information lifecycle management?” How is it different?

Nelson: There are definitely similarities, but I think IG has broader application because there is greater focus on data security today than there was 10 years ago. Focusing on IG objectives is more important than getting hung up on the definition. Those objectives for most organizations are to make sure there is a plan to “protect, manage and discover” their information.

Q: What do you mean by “protect” information?

Nelson: Every week we hear about another major data breach that causes some company and their customers major headaches. Protecting information is top of mind for both private and public sector organizations alike because the consequences of not protecting critical information assets are so severe.

Q: Can you provide examples?

Nelson: Sure. When there is a breach in the public sector national security is at stake. Malware like the Stuxnet Virus enabled hackers to take control of and disrupt the Iranian nuclear facility for years before Iran figured out what was going on. Similarly, the group of hackers known as “Dragonfly” recently infiltrated major electricity and oil and gas operators in several countries including the United States. Think about the worldwide chaos that would have ensued if the hackers disrupted or shut down those operations.

In the private sector, a big breach may lead to the loss of intellectual property and customer information like PII, aka, “personally identifiable information.” The latter situation is often a quadruple whammy because not only does a serious retail data breach typically cost millions in remediation costs, but the company stock price drops. When the stock price drops, investors often bring shareholder lawsuits. To make matters worse, the FTC is likely to bring an enforcement action on behalf of consumers who had their personal information compromised and settlement terms typically include mandatory security audits for 20 years.

Q: What do you mean by “manage” the information?

Nelson: I mean that most organizations keep more information than they need or they might even keep everything forever because everyone is afraid to hit the delete button. This creates a ticking time bomb of information risk. What organizations need to do is delete what they don’t have a legal or business need to keep.

Q: Why don’t organizations hit the “delete” button?

Nelson: Mainly because they lack “visibility” into their unstructured data universe. But now, organizations are looking to leverage archiving solutions and technology Symantec calls “information fabric” to gain visibility into their unstructured universe. This visibility empowers them to make informed decisions about deleting useless and duplicative information, securing sensitive files and moving old data to lower cost storage.

Q: And “discover” information presumably refers to electronic discovery?

Nelson: Absolutely. In litigation and investigations the stakes are high and the timelines are tight. If an organization with a lot of litigation has not invested in eDiscovery technology that can be used to streamline their ability to quickly and thoroughly preserve, collect, cull and analyze data on a case by case basis then they are unnecessarily spending a small fortune on outside counsel and vendors. The more data an organization creates, the higher the cost of finding the proverbial needle in the haystack and the higher the risk of overlooking data that should have been produced.

Q: Why are organizations just now talking about information governance when this is something they should have been doing a long time ago?

Nelson: Partly because the market has matured so that organizations realize a proactive strategy is better than a reactive strategy which is really not much of a strategy at all. And partly because information governance is a term that everyone can finally rally around to help understand the root cause of all these problems we have talked about. If we understand that the root cause of all these problems relates to the explosive growth of information and information sprawl, then different internal stakeholders can join forces and share budgets to begin addressing these problems collectively. That is where the “people and process” begin to come into play. Stakeholders should include representatives from various departments including legal, IT Security, CIO and Compliance to name a few.

Q: Thanks for your time Mr. Nelson. Any final thoughts or resources you can point us to?

Nelson: The pleasure is mine. This is a topic I have been talking about for years so it is exciting to see organizations finally begin to take meaningful steps forward. As far as resources, I would look at the websites of the organizations I mentioned earlier for more information. I also conducted a presentation titled, “The 21st Century Legal Department – New Challenges & Responsibilities in the Era of Big Data” that was recorded and is still available on the web for download. Symantec is also sponsoring a series of live panel discussions in several cities over the next three months that will be open to the public including several interesting sessions at Legal Tech New York.

Mr. Nelson is a law and technology expert at Symantec with more than a decade of experience helping organizations address a wide array of information governance challenges. He regularly serves as an expert panelist with federal judges, government attorneys and in house counsel on topics ranging from electronic discovery to data privacy and security. He has also been invited to address many organizations as a guest lecturer throughout his career including the Association of Corporate Counsel, Nevada’s High Technology Crime Task Force, the Argyle Chief Legal Officer’s Forum, Stanford & Hastings Law Schools and several Fortune 500 Corporations.