Bridging the gap between legal and IT for sound Information Governance policies

19
Mar
2013

Jim McGann

Legal organizations have had a non-existent relationship with the information technology (IT) groups that serve them.  In many cases IT organizations remain to themselves and only interact with legal when something goes wrong, or they need to collect data for eDiscovery. IT organizations are responsible for managing user data, and making sure it is safe and available.  Legal is responsible for corporate policies and making sure risk and liability is managed when it comes to that same data.

It is critical that a dialog between these organizations exist in order to proactively manage corporate data according to information governance and security policies.

Without communication user files and email will continue to remain unmanaged and sensitive content can easily cause risk for the organization. As users create sensitive data and it is not secured properly it can easily escape the firewall and fall into the wrong hands.  Data breaches are not very common, however, when they happen your organization can make worldwide news.  

Additionally, without proactive communication and a partnership between legal and IT organizations, IT will continue to store information that no longer has business value but can turn into a liability.  eDiscovery costs, finding and collection data, will also remain high as every time a request is made a new and time consuming search must be commenced.  

The challenge with communication is you need something to talk about. You need a language that allows you to discuss the topic, understand each other and make decisions.  In the past if legal asked IT what data exists where, there would be a blank response. If IT asked legal about data policies, what they should keep and what they can dispose of, the answer would not come easily.   

Both legal and IT care about the same data, user files and email, however, they have not developed a language that allows them to discuss this content and make intelligent decisions regarding the disposition.   As a result sensitive user data languishes on the network and lays hidden until a future event exposes it.

A Common Language

Knowledge is the key to determine the disposition of user data. Language based on this knowledge is key to successful communication between IT and legal teams.  Without knowledge it is impossible to determine how to manage data, what to keep, what to purge and what is required for legal hold. 

 Organizations are now making disposition decisions regarding data according to their information governance policies. Gone is the day where data lived forever and nothing was purged from the network.  It is just too expensive and risky to save data with no business value, especially since this can represent 40 to 60 percent of what exists today.  

Data profiling is the new language of information governance. Data profiling uses summary reports combined with queries on an enterprise index of user files and email. This index is comprised of metadata level information such as last accessed or modified date, owner, size, location, as well as a MD5 hash to determine if it is duplicated. Using this information IT can easily provide summary reports that allow legal to view the data at a high level and understand what exists. When legal asks what data on the network is owned by ex-employees and which of this data has not been accessed in more than seven years - IT has the answer.  

Starting the conversation

Data profiling allows conversation to take place between IT and legal.  These conversations allow disposition to be decided.  Aged data that has no business value and not been accessed in more than a decade is easily classified and purged. Sensitive email such as PSTs that are hidden on the network can be easily uncovered and monitored in order to determine the best course of action. 

Legal can now view and profile data and collaborate with IT to determine the best course of action.  Just think when the next eDiscovery event occurs, legal can ask IT where is “John Doe's” email and IT can provide an quick answer and preserve the data on legal hold.

As legal and IT begin to collaborate and discuss polices and information governance strategies they will find that much of the data that they are spending significant money to store and maintain is of no value.  

According to a recent study by the Compliance, Governance and Oversight Council 2012 (CGOC) 1 percent of user data is typically on legal hold, 5 percent should be archived for regulatory requirements, 25 percent is current working files that should be monitored in place but not touched, and the balance of 69 percent has no business or legal value and can be purged.   

Set policy

Beyond supporting eDiscovery more effectively, data profiling and improved collaboration between legal and IT will allow for significant cost reduction by purging aged and irrelevant data, often referred to as ROT (redundant, outdated and trivial) by records managers, as well as proactively managing long term risk and liability by eliminating potentially harmful content.  

Many organizations are stuck in the analysis paralysis phase of how to implement policy: how to manage policy, how to implement policy, how to audit policy and how to keep policy updated and current. These are hard tasks for any information management professional.   

Nonetheless, finding the answers to these questions requires tight partnership between legal and IT organizations. Data profiling not only helps understand what exists, and allows for defensible disposition of the content, but also supports the development and enforcement of corporate policies.  

Developing and updating policy is simplified once a data profile is in place. Understand what you have and build a policy around it. Many organizations have a process in place to archive all user email. Is this the right policy? Do you need to keep all user email or just what has business or legal value?   

Data profiling will allow you to determine what should be archived and preserved versus saving everything. The save everything policy is not actually a policy and actually creates more liability down the road.  

With a data profile, IT and legal can sit down at the table with the knowledge and the language to discuss what exists and how that data should be managed. Once this policy is defined, the data profile can be called upon to take action and manage the disposition of the content. Ongoing audits can also occur via the data profile to ensure that policy is implemented and managed correctly.  

Without a common language IT and legal will continue to exist in their own worlds and not have a collaborative relationship that proactively supports corporate information governance. Data profiling is the language that will allow these two organizations to understand what exists, and make the appropriate plan to manage long-term liability and costs associated with user data.