Information Governance

Information Lifecycle Governance Takes Center Stage for Corporate Counsel

Over the past year I have used this column to explore the various topics relating to Information Lifecycle Governance (ILG). ILG means many different things to different people. Ask 10 people for a definition and you are likely to get at least a dozen different answers. This lack of consensus is not all that surprising since ILG is still relatively immature as a discipline. It has therefore been my intent throughout the year to help raise awareness of this new practice area by drawing out some of the ways in which it impacts the daily life of corporate counsel.

For decades, companies have generally allowed their end users to manage and govern the information controlled by or held within their domains. They have also relied heavily upon IT managers to make the bulk of decisions regarding information stored on the system they administer. Corporate counsel may have historically given very little thought to company data, other than when they needed information to support or defend their legal matters, or for niche regulatory requirements in certain industries. In the past, counsel simply may have had little reason to care how much information the company was amassing, from where it was coming, how it was being used, whether it was adequately protected, or how long it was being kept. These were traditionally all operational concerns left to business managers and did not involve significant issues regarding corporate risk or compliance.

The scope of corporate counsel duties has changed rather rapidly and drastically in the past decade, however. Companies have quickly begun to digitalize nearly every aspect of their operations. Digital information is generally now the lifeblood and primary asset of all companies, in every industry, in every sector. Whether a company makes or sells widgets, transports goods or people, facilitates markets or transactions, or provides services of any sort, it has likely also become an information business in the past few years. The volume of digital information flowing through the company has also likely grown exponentially in this same short period. This rapid digital transformation has brought many information-related issues to the forefront for corporate counsel which can no longer be ignored. Information creates great value to the enterprise, and anything of value also presents proportionate risk. This is where Information Lifecycle Governance can help.

Early in the year I wrote a piece on Big Data. This technology is more than just a buzzword. It is a primary driver of the digital transformation process and it often has profound enterprise risk and compliance impacts. These arise not only because companies are collecting and utilizing more data points in operations and decision making than ever before, but also because the technology itself is fundamentally different from all prior data management and analysis technology we have seen. Because these systems have the ability to ingest massive amounts of raw data, much of which has no predefined utility, the full content of the data often remains unknown until some type of business analysis is conducted. The result tends to be large data pools with little understanding of what is in them or what compliance obligations attach. They are commonly called dark data pools because there is no visibility into what they contain, which may include any manner of regulated information or contraband, and numerous companies have found themselves in hot water in recent years due to a lack of awareness of what data their business units were amassing. For this reason alone, it is imperative for counsel to get involved during the early program design phases and build privacy and compliance in from the start.

Big Data does not only present challenges for counsel, it is also a powerful tool. Several articles this year have drawn out examples of how it can be leveraged to improve compliance programs and reduce company risk. Big Data is particularly useful in anti-corruption investigations and in building internal monitoring programs. (See “Finding the Needle in the Anti-Corruption Haystack.”) The exact same attributes that make it a powerful tool for digital transformation of business operations also allow counsel to transform their own practices as well. For example, predictive text analytics and concept-based search technologies allow legal teams to greatly reduce the amount of time and costs associated with the review of documents and communications. Instead, machine learning may be leveraged to help bring the most critical and relevant communications to the top of the review pile, even where actors are using coded terms to hide illicit activities. Analytics tools can also make the hunt for correlating transactions and documentation much easier for both monitoring and investigations. This point was discussed more deeply in “Data Analytics May Hold Key to Compliance with South Korea Anti-Graft Scheme" to show how the tools can be useful in building a successful internal compliance program, especially in areas where relevant evidence may be hidden or obscured.

Not only must counsel understand what data is being collected and stored by the enterprise, and how they can mine that data for their own needs, it is also important that they know where it is being stored, and by whom. Data privacy issues around the globe create a myriad of compliance issues. May’s article discussed the complex issue of emerging data localization laws that are popping up around the globe. Data localization requirements are driven mainly by concerns over privacy, security, surveillance and law enforcement, and typically require that data collected or used in a particular jurisdiction remain in that jurisdiction, or at the very least a copy of the data, so law enforcement or government officials can have access to it if needed. These laws present just one issue, prohibitions on cross border data migrations also add significant compliance problems of their own. For suggestions on how to properly address these and related issues, see November’s article “Data Mapping for Global Privacy Compliance."

One of the most important aspects of ILG is ensuring the company’s assets are properly protected. There is certainly no glut of headlines regarding data breaches in the news these days, and there is no indication of any slowdown in hacker activity any time soon. The digital transformation of our enterprises equally empowers the digital transformation of criminal activity (See “How to Rob a Bank in Ten Easy Clicks”). To this end it is important that counsel remain diligent with regard to both data stored in the corporate environment and that hosted or held by third-party service providers. In April, I also discussed vendor security certifications and the importance of knowing exactly how your vendors are protecting your data. Many over-focus on the security of their data centers without disclosing anything about their internal processes or policies for accessing and moving data in and out of those centers. More recently, I discussed the value of the Dark Web for cyber reconnaissance, and how to avoid unnecessary risk when leveraging these digitally transformed black markets.

Finally, one of the best ways to reduce all of the above risks and also help control budgets is through the clean-up of legacy data. The more data the company must manage, the greater the cost to do so, and the more data counsel must sift through for compliance, e-discovery, or records retention programs, the greater the costs to them to do so. Old data is also often the most vulnerable to hacking, as it typically has the least protections or is being overlooked. Projects aimed at cleaning up this data often serve as a central component for ILG programs, and the data storage and maintenance cost savings alone can often more than offset the total costs of the entire ILG efforts.

Simply put, ILG is the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, protection, archiving and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals. As a legal discipline, it describes how leading corporate counsel are embracing their new roles and driving the successful digital transformation of their companies and their own practices through better information risk mitigation and control.

Published .