IG World Vol 1 * Issue 4 - Summer 2019 by IG World Magazine

INFORMATION GOVERNANCE WORLD

IAPP’S FIRST CCPA SURVEY RESULTS

BASSAM ZARKOUT ON IoT DATA PROTECTION

DIGITAL PRESERVATION IN STATE & LOCAL GOV’T

ADVICE FROM LEADING IG EXPERTS

WELLS FARGO’S

MONICA CROCKER IG & RIM

MATTHEW BERNSTEIN BANKING ON IG

DOUG LANEY

INFORMATION: THE FORGOTTEN ASSET

DEVIE MOHAN

FINTECH ACROSS THE POND CHRIS

IG ANZ’S

SUSAN BENNETT

INFOGOV DOWN UNDER VOL 1 • ISSUE 4 SUMMER 2019

INFOGOVWORLD.COM YOUR GLOBAL IG RESOURCE®

SURDAK

IG & ROBOTIC PROCESS AUTOMATION

SEDONA’S

KEN WITHERS

ON RODEOS & E-DISCOVERY

Information Governance &

Infonomic$ Summit The path to leveraging information value: From Information Governance to Infonomics

When: November 5, 8am-5pm Reception & Book Signing 5pm-6pm

Where: Michelangelo Hotel, New York City Who is Invited: C-level Executives & IG Leaders

The Michelangelo Hotel

Special Appearance by Doug Laney, author of Infonomics

Information Governance features major contribution s from these leading experts the field: in Barclay Blair Charmaine Brooks Dr. Patricia Franks Doug Laney Andrew Ysasi

Cover Design: Wiley Cover Image: © style_TTT/

Baird Brueseke Monica Crocker Randolph Kahn, Esq. Darra

Hoffman INFORMATION Bassam Zarkout GOVERNANCE WORLD

PRACTICES

The Second Edition of Information Governanc e continues to offer a guide to the imperative big picture for implementing IG, with actionable steps to reduce formation risk, improve incompliance capabilities , and leverage information value. Information Governance is filled with much-need ed advice and practical for compliance and risk strategies managers, operations managers, corporate corporate records managers, counsel, legal administrators, information technology managers, archivists, knowledge managers, and information governance professiona ls.

Second Edition

TS, STRATEGIES AND BEST

“Effective Information Governance (IG) programs improve operational efficiency and compliance capabilities while leveraging information as an asset to maximize its value. Active IG programs are the hallmark of well-manag ed organizatio ns, and increasingly IG has become an imperative, especially for global enterprises.” —From Chapter One

INFORMATION GOVERNANCE CONCEPTS, STRATEGIES AND BEST PRACTICES

Shutterstock

Subscribe to our free Finance and Investing eNewsletter at wiley.com/enewsle tters

$95.00 USA / $114.00

CAN

Neil Calvert, Linq Infonomics Solutions

Second Edition

Visit wileyfinance.com

Robert F. Smallwood

with leading experts

here has been a “perfect storm” of sorts that fueled concerns for information privacy, data protection, and regulatory compliance. The 2018 EU General Data Protection Regulation (GDPR), amidst the drumbeat of colossal data breaches and major privacy violations, ignited a wave of increased activity in the field of information governance (IG). In today’s environment , it is vital that business managers have a clear understanding of the methods and best practices used to control and secure information, and the opportunitie s to leverage information asset value. That requires an effective IG program.

Rich Hale, Active Navigation

Cost: $495. Includes continental breakfast, lunch, coffee breaks, a cocktail reception, and a copy of Laney’s Infonomics. By invitation only. Request yours today by emailing events@infogovworld.com.

The revised and updated Second Edition of Information Governance offers an important guide that reviews the basic concepts of IG, defines what it is (and what it is not), explains how to justify and implement an IG program, and explores ways to secure and control information while maximizing its value using infonomics principles. The discipline of IG covers a range of components: privacy, cybersecurity, e-discovery and law, records managemen t, compliance, information technology, risk management, business operations, and more. Filled with illustrative examples and written in clear language, Information Governance addresses the many aspects of IG with actionable strategies and proven best practices. Written by a noted expert in the field with contributions from a number of industry pioneers and experts, Information Governance explains how to plan and manage a cohesive and (continued on back flap)

MEDIA SPONSOR

Robert Smallwood, Institute for Information Governance

Is data the new oil? Join us and key C-level executives to understand how to navigate the journey to harvesting newfound information value. You’ll learn the principles and formulas for monetizing information from Doug Laney’s groundbreaking book, Infonomics. We’ll have insightful presentations and panel discussions, including a group lunch, then conclude with a book signing by Doug Laney and also Robert Smallwood who will sign the new edition of his book, Information Governance, Tduring a catered cocktail reception where you can network with peer executives and industry leaders. The event will be held at the elegant Michelangelo Hotel, a treasure in NYC.

Smallwood

INFORMATION GOVERNANC E CONCEP

Pr ove n a n d e m e r ging strategies fo r i m p l e m e n t i n g infor mat ion gove rnanc e progr ams u s i n g b e s t p r ac t ices

Richard Kessler, KPMG

PUBLISHER’S LETTER

INFOGOVWORLD.COM

PHOTO BY LILLI GARCIA

ur team at IGWorld has put together another outstanding issue, chocked full of information and updates on IG, new survey results, and insights from IG leaders. Our cover feature is an interview with attorney Susan Bennett, who founded IG ANZ, a nonprofit group of professionals supporting education and advancement of IG in the Australia-New Zealand region. We’ve also published the results of a recent survey by IG ANZ revealing progress in IG programs. We’ve added a new section on Banking and Financial Services, which includes interviews with Wells Fargo’s Monica Crocker, Deutsche Bank veteran Matthew Bernstein, and FinTech expert Devie Mohan weighs in from across the pond. We’ve included our take on four key trends in FinTech for 2019, and another article on the impact of FinTech in the financial services segment. In our effort to bring you more vertical market content, we also have a piece on digital preservation in state and local government. In our next issue, we will present some case studies for you to sink your teeth into. Infonomics pioneer Doug Laney contributed a thoughtprovoking piece on information as an asset, from a historical perspective; and Heidi Maher writes about the role of IG in the M&A process. George Firican provides advice on business Intelligence (BI) and data governance (DG), as well as tips on effective DG. Also, we have two articles with two different viewpoints on the hot topic of robotic process automation (RPA), written by leading IG and analytics consultant Chris Surdak, and Neil Calvert of LINQ Solutions. And IoT expert Bassam Zarkout discusses data protection for IoT. We are fortunate to include an interesting and entertaining interview with Ken Withers of the Sedona Conference, who talks about e-Discovery from its roots to today—and his rodeo clown experiences! Andrew Ysasi contributed a piece on the proposed New York state privacy law, which sought to surpass the strictness of California’s CCPA, but which ultimately did not pass in a recent legislative session. We also published the summary results of IAPP’s first survey on CCPA, to keep our readers current as this important privacy legislation moves toward implementation. I wrote a piece on privacy concerns hitting main street after a trek to Los Angeles to see the latest Tarantino movie; and we feature an article on how to guard your personal data while traveling, as well as one on advancements in cybersecurity technology in the Big Data era. Don’t forget our November 5th IG & Infonomics Summit in New York City. It’ll be an informative and classy event at an upscale boutique hotel in Manhattan; and, if you

cannot make that, we are holding another one of these popular events in San Francisco on December 4. You can view the agenda and speaker bios on our website. We limit the number of attendees to encourage engagement and networking, so request your invitation today. Happy reading!

Robert Smallwood CEO & Publisher

Please send your comments, suggestions, and story ideas to me at Robert@infogovworld.com

Email Governance Needs?

Try modern email management in the cloud with Integro Email Manager™ Value-based email governance. Retain important email. Eliminate ROT. Integro Email Manager™ (IEM) is an easy to use email governance solution for Office 365, Exchange, and Lotus Domino. Integro Email Manager helps companies govern email to reduce email retention (easing eDiscovery & reducing risk), manage high business value email, and properly classify email records.

From Content Overload to Harvesting Information Value JOIN US AT 2PM EASTERN ON SEPTEMBER 12 FOR THIS INFORMATIVE WEBINAR HOSTED BY: ROBERT SMALLWOOD, IGWORLD MAGAZINE FEATURING: JEFFREY DUNNING, INTEGRO

integro.com/products/iem

INFORMATION GOVERNANCE WORLD

CONTENTS INFORMATION GOVERNANCE IN SOCIETY 10 IG World Data Monetization & Infonomic$ Summit in Chicago 11 The MER Conference Managing Electronic Records INFORMATION GOVERNANCE BEST PRACTICES 12 Four Ways Information Governance Can Protect M&A Value by Heidi Maher INFORMATION PRIVACY 14 Privacy Concerns Hit Main Street America by Robert Smallwood 15 NY Privacy Act Looks to Surpass Cali’s CCPA By Andrew Ysasi 16 Protecting Digital Footprints While You Travel INFORMATION SECURITY 18 New Network Monitoring Tool Addresses Massive Data Volumes by Baird Brueseke

CONTENT SERVICES 48 RPA & AI: The Coming Governance Nightmare by Christopher Surdak, JD 50 Understanding the RPA Opportunity by Neil Calvert ARCHIVING & LONG-TERM DIGITAL PRESERVATION 52 Digital Preservation in State and Local Government: An American Success Story by Mark Driskill EMERGING TECHNOLOGY 54 Protecting IoT data throughout the Digital Transformation Journey by Bassam Zarkout 56 IoT & Healthcare Facilities Data Management by Baird Brueseke

COVER STORY 20 IG Down Under: Interview with Susan Bennett by Robert Smallwood

BANKING & FINANCIAL SERVICES 58 Banking on IG: An Interview with Matthew Bernstein

ANALYTICS & INFONOMICS 30 Information: The Forgotten Asset by Doug Laney

61 The Rise of Fintech and its Impact on the Financial World

RISK & COMPLIANCE 34 CCPA Survey by IAPP 36 IG ANZ 2019 IG Survey by Baird Brueseke

62 Devie Mohan: Fintech from Across the Pond

LEGAL & EDISCOVERY 38 Interview with Ken Withers

64 INFORMATION GOVERNANCE TRADE SHOWS

RECORDS & INFORMATION MANAGEMENT 42 Interview w/ Monica Crocker

66 INFORMATION GOVERNANCE EVENTS

DATA GOVERNANCE 46 How Business Intelligence and Data Governance Support One Another by George Firican 47 10 Guiding Principles Every Data Governance Program Should Follow by George Firican

INFOGOVWORLD.COM

ON THE COVER: Susan Bennett is a leading Information Governance expert and an international privacy lawyer, based in Sydney, Australia. Photo by Jessica Lindsay THIS PAGE: Monica Crocker (Group Records Coordinator for Wells Fargo’s Wealth & Investment Management business) Photo by Nora Burrows

INFORMATION GOVERNANCE WORLD

YOUR GLOBAL IG RESOURCE®

infogovworld.com VOLUME #1 ISSUE #4 SUMMER 2019

INFORMATION GOVERNANCE WORLD

OZ ALASHE ON ANALYTICS GDPR ONE YEAR & CYBERSECURITY LATER W/ RICHARD HOGG ADVICE FROM LEADING IG EXPERTS

JASON R. BARON

ON RIM’S MAJOR THREAT

CEO & PUBLISHER

NICOLAS ECONOMOU

Robert Smallwood

AI’S ROLE IN E-DISCOVERY

SONIA LUNA

CHIEF OPERATING OFFICER

ON COSO & RISK MANAGEMENT

Baird Brueseke

NATHANIEL PALMER

IG & INTELLIGENT AUTOMATION

HEIDI MAHER

CREATIVE DIRECTOR

Kenny Boyer VP OF BUSINESS DEVELOPMENT

JOHN ISAZA

ON GLOBAL RIM COMPLIANCE

HER VISION FOR CGOC + IG & DATA PRIVACY BENCHMARKS

Dan Adams SENIOR EDITOR

VOL 1 • ISSUE 3 SUMMER 2019

INFOGOVWORLD.COM YOUR GLOBAL IG RESOURCE®

Dan O’Brien CONTRIBUTING EDITORS

Mark Driskill, Martin Keen, Andrew Ysasi CONTRIBUTING WRITERS

Baird Brueseke, Neil Calvert, George Firican, Doug Laney, Heidi Maher, Robert Smallwood, Chris Surdak, Bassam Zarkout CONTRIBUTING PHOTOGRAPHERS

Nikki Acosta, Isi Akahome, Norah Burrows, Jessica Lindsay, Robert Smallwood, Andrea Vallejo

Check us out online and sign up today for a free digital subscription to Information Governance World magazine. Print subscriptions for the quarterly mag are $49/year, or $195 for five team members.

SPECIAL THANKS TO INTERVIEWEES:

Susan Bennett, Matthew Bernstein, Monica Crocker, Devie Mohan, Ken Withers

2358 University Ave # 488, San Diego, CA 92104

infogovworld.com 1.888.325.5914

YOUR GLOBAL IG RESOURCE®

888-325-5914

subscribe.infogovworld.com

INFORMATION GOVERNANCE

Information Governance:

A PRIMER

ccording to the Sedona Conference, Information Governance (IG) is about minimizing information risks and costs while maximizing information value. This is a compact way to convey the key aims of IG programs. The definition of IG can be distilled further. An even more succinct “elevator pitch” definition of IG is, “security, control, and optimization” of information. This is a short definition that anyone can remember. It is a useful one for communicating the basics of IG to executives. To go into more detail: This definition means that information—particularly confidential, personal, or other sensitive information—is kept secure. It means that your organizational IG processes control who has access to which information, and when. And it means that information that no longer has business value is destroyed and the most valuable information is leveraged to provide new insights and value. In other words, it is optimized. IG PROGRAMS REQUIRE CROSS-FUNCTIONAL COLLABORATION IG involves coordination between data privacy, information security, IT, legal and litigation/e-discovery, risk management, business records management functions, and more. It is a complex, amalgamated discipline, as it is made up of multiple sub-disciplines. IG must be driven from the top down by a strong executive sponsor, with day-to-day management by an IG Lead, which is a person who could come from one of the major sub-disciplines of IG. The IG lead could come from IT, cyber-security, privacy, RIM, analytics, legal, operations, or related disciplines. THE KEY DIFFERENCES BETWEEN DATA GOVERNANCE & INFORMATION GOVERNANCE Data Governance (DG) and Information Governance (IG) are often confused. They are distinct disciplines, but DG is a subset of IG, and should be a part of an overall IG program. DG is the most rudimentary level to implement IG, and often DG programs provide the springboard for IG programs. Data governance entails maintaining clean, unique (non-duplicate), structured data (in databases). Structured data is typically about 10%-20% of the total amount of information stored in an organization.

INFOGOVWORLD.COM

“

An even more succinct “elevator pitch” definition of IG is, “security, control, and optimization” of information.” DG includes data modeling and data security, and also utilizes data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and deduplication, to eliminate redundant occurrences of data. Data Governance focuses on data quality from the ground up at the lowest or root level, so that subsequent clinical assessments, reports, analyses, and conclusions are based on clean, reliable, trusted data in database tables. THE CHALLENGE: MANAGING UNSTRUCTURED INFORMATION Unstructured information is the vast majority of information that organizations struggle to manage. Unstructured information generally lacks detailed metadata and includes scanned images, email messages, word processing documents, PDF documents, presentation slides, spreadsheets, audio recordings, video files, and the like. Unstructured information is more challenging to manage than structured information in databases, and is the primary focus of IG programs. IG is much more broad and far-reaching than DG. IG programs include the overarching policies and processes to optimize and leverage information as an asset across functional silos while keeping it secure and meeting legal and privacy obligations. These IG program aims should always be in alignment with stated organizational business objectives.

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE

SOCIETY

‘IG World’ Data Monetization & Infonomic$ Summit in Chicago

PHOTOS BY ANDREA VALLEJO & CONTRIBUTED PHOTOS

Doug Laney, Neil Calvert, Rich Kessler, Robert Smallwood

Last May, leaders from major companies including American Express, USAA, Ford, and GSK Pharma gathered to hear the “path to information value” message at the Summit. The event featured Doug Laney, author of the seminal book, Infonomics, along with Rich Kessler of KPMG, Robert Smallwood of the institute for IG, and Neil Calvert from LINQ Solutions. The event concluded with a reception and book signing.

Neil Calvert (LINQ) and Rich Kessler (KPMG)

Richard Kessler

Susan Bennett, Sibenco & Rajitha Mogalapu. MagikMinds

Jason Federoff USAA with Neil Calvert LINQ Solutions

Doug Laney explaining infonomics at Chicago Data Monetization & Infonomics Summit

INFOGOVWORLD.COM

Smallwood & Laney, Henley, & Tyler Johnson

The MER Conference Managing Electronic Records PHOTOS BY ANDREA VALLEJO ANDREA MENDEZ PHOTOGRAPHY

The annual MER conference took place in Chicago on May 20th through the 22nd. Jason Baron gave a thought-provoking keynote. Special sessions included presentations by Rich Hale, Active Navigation, Scott Burt, Integro, and Mike Quinn from Preservica. The conference provided attendees with the opportunity to attend educational session and learn how to apply their lessons to real-world problems. Attendees had an opportunity to network at the Chicago Yacht Club, where these pictures were taken.

Jason Baron (Drinker, Biddle), Peter Baumann (Active Navigation), Greg Blin

Mike Alsup (Gimmal) & Mike Quinn (Preservica)

ZLTech’s Kon Leong & MER Conference Founder Bob Williams

Preservica’s Lori Ashley and a surprised conference attendee. Scott Burt, CEO Integro

Ladies enjoy a glass of wine & conversation at the reception.

Chicago Yacht Club reception attendees enjoy libations.

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE

BEST PRACTICES

Four Ways Information Governance Can Protect M&A Value

BY HEIDI MAHER

Heidi Maher

INFOGOVWORLD.COM

hile the world waits to see the potentially transformative impact of the CVS acquisition of Aetna (assuming it isnâ&#x20AC;&#x2122;t [ultimately] blocked), CVSâ&#x20AC;&#x2122;s CIO is likely thinking about the major data integration hurdles he will need to overcome to attain the value sought by the transaction. Many other companies will face these same challenges because M&A activity is now big business. Bain & Co. estimates M&A deals totaled $3.4 trillion globally in 2018, with about half those deals involving a company that obtained new capabilities or access to new markets from the acquired business. Based on my discussions with data and information experts from major enterprises, here are the top four ways information governance can help organizations meet the data integration challenges they will almost certainly encounter.

Reprinted with permission from Forbes.com. Originally published May 9, 2019.

1. UNCLOG DUE DILIGENCE While due diligence is always a critical topic for M&A deals, in the past, it focused primarily on legal and financial records. Today, due diligence must encompass regulatory impact, human resources, environmental effects, customer outlook, industry reputation, internal compliance, and information technology. This broader scope makes due diligence ever more challenging, as does the massive amount of data from multiple sources that must be accessed, authenticated, and reviewed, which can clog the due diligence process. To overcome this, organizations must have in place a solid integration strategy and a mature IG program that ensures cross-functional communication. Due diligence teams must also rely on advances in technology, including machine learning and predictive analytics, to help them accelerate and better manage the process while providing additional security. 2. AVOID CYBERSECURITY BUYER’S REMORSE A 2017 West Monroe survey of senior global executives found cybersecurity continues to be a major M&A issue, both before and after the deal closes, with over 50% discovering a cybersecurity issue after closing a deal. And those surveyed cited security as the No. 2 reason why M&A deals fall apart. To avoid this, an acquiring company must extend its IG smarts to the target company in order to fully examine the target’s IT and data security policies, including how the target gathers personal or sensitive information, how this data is used and stored, whether it is encrypted or otherwise protected, and when and

how data is destroyed. It is equally important to understand where data is physically stored and on what systems and the types of cyber- or data-related insurance policies the target maintains. While a primary goal of cyber due diligence is to avoid taking on potential data breach-related liability, including for those in the past, parties should understand that providing another party (such as an acquirer in an M&A transaction, along with financial institutions, consulting companies, law firms, vendors, etc.) with private customer or employee information or other sensitive data, can violate privacy regulations and increase the risk of a data breach. This means every third party receiving or storing sensitive data must be carefully vetted for privacy and security policies and procedures. 3. BRIDGE THE CULTURAL DIVIDE The CVS-Aetna deal is the perfect example of a culture clash. CVS is a retail company that processes millions of transactions for millions of individuals. Aetna relies on corporate purchasing from thousands of corporate customers. IG stakeholders are essential to bridging this divide. For example, to support data integration, the acquiring company must retain target company subject matter experts who know where data is located and the data habits of the employees. This knowledge is essential for successfully combining IT functions without introducing significant business disruption. 4. CLEAN UP YOUR ACT The only way to fully and rapidly benefit from analytics performed on data acquired from a target company is to make sure only relevant, high-

P O RT R A I T B Y N I K K I A C O S TA

quality data is added to the existing data lake. Following an acquisition at a bank I worked with a few years ago, executives demanded rapid integration of the new data, and they were so concerned about the possibility of losing some important information that they insisted on importing everything. However, this resulted in mountains of irrelevant and non-sensitive personal information (such as vacation photographs) being ingested, requiring significant time and money for a post-integration clean-up. So it is essential not to rush. Instead, the acquiring company’s IG program must be extended to the new data to ensure only relevant, high-quality information from trusted sources is integrated. THE ESSENTIAL INDUSTRY LESSON We will be watching the progress of the CVS-Aetna integration closely because the lessons learned will certainly benefit the entire industry. Meanwhile, M&A shoppers must focus on understanding all the risks associated with a target company’s data. If a buyer can’t use some of a target company’s assets because of privacy, healthcare, financial, or other regulations, or if the acquiring company cannot ensure only relevant, high-quality data is integrated, the future value of the deal could be completely undermined. These data integration challenges may feel overwhelming, but companies focused on maturing their own IG programs will be in a far better position toidentify the potential risks in the target company’s data, enabling smarter decisions before, during, and after an M&A transaction. INFORMATION GOVERNANCE WORLD

INFORMATION PRIVACY PRIVACY CONCERNS HIT MAIN STREET AMERICA

BY ROBERT SMALLWOOD

n previous issues, IG World has reported that, according to a Harris Poll published last November in USA Today, Americans are more concerned with privacy than anything else. That is, 65% of those polled stated they were more concerned about data privacy than healthcare (61%), which was their second greatest concern. This may be the result of heightened awareness, due to the string of Facebook privacy missteps and scandals, along with the impact of the European Union General Data Protection Regulation (GDPR), which went into effect in May 2018. Also, the looming California Consumer Privacy Act (CCPA), which goes into effect on January 1, 2020 (and can be enforced after July 1, 2020). The CCPA is not as comprehensive or strict as GDPR, but will have a significant impact on companies doing business with California consumers, especially U.S. businesses. In late July, I saw clear evidence of privacy concerns moving to Main Street USA. I took a train up the Pacific coast to downtown Los Angeles (DTLA) to attend the premiere of the latest Quentin Tarantino film, Once Upon A Time… in Hollywood, starring Leonardo DiCaprio and Brad Pitt. We went to the Alamo Drafthouse Cinema, which was showing a dozen films including the 35mm version of Hollywood. That was my first surprise of the visit: 19 bucks per person for movie tickets! I said, “That’s the most I have ever paid for a movie ticket in my life!” and the young lady behind the counter replied, “Totally worth it!” I’ll have to admit, it was a unique experience, and it was enjoyable. You pay for a very comfortable padded reclining chair, and an audience that is quiet and respectful (you are warned several times during the previews to not talk or use your phone or risk being ejected), and to be able to order food and drinks during the movie. The film ran long (over two and a half hours), but it did not disappoint. The 35mm production had its flaws, with a skipped frame here and

INFOGOVWORLD.COM

there, and some sound issues, but that made it seem all the more authentic and “old timey.” I won’t spoil it for you, but there were appearances by Steve McQueen, Sharon Tate, Roman Polanski, and the Playboy Mansion. The plot revolves around an aging star of old Westerns and his stunt double, and the Manson Murders, but with a fictionalized ending that is fantastic (and better than real life). After the movie was over, there was another surprise—the entire audience stayed seated throughout the entire credits. I had never seen this happen, but I suppose in Tinseltown, there are a lot of film professionals and they pay attention to those details. The biggest surprise, though, came the next day, when we were walking downtown to have breakfast at the storied Original Pantry Café (I highly recommend the biscuits!). There were three large buildings, painted with oversized Apple advertisements, and the middle one had a major message on privacy: Your iPhone knows a lot about you. But we don’t. Privacy. That’s iPhone. It’s not flashy like Times Square, but you can’t miss the ads. It is clear that Apple is targeting their competition, Alphabet/Google’s Android, and trying to draw a distinction between Apple’s approach, and their competition. Apple is using privacy as a significant competitive advantage, and they most certainly have conducted the market research to know that they are playing a strong suit when it comes to American’s awakening privacy concerns. And they reinforce this with their users. A couple of weeks later, I had to replace my iPhone, and as I was setting it up, this message displayed:

“Apple believes privacy is a fundamental human right, so every Apple product is designed to minimize the collection and use of your data, use on-device processing whenever possible, and provide transparency and control over your information.” Compare that to Facebook: I personally have been keenly aware of the surveillance tactics and privacy affronts of Facebook, which caused me to leave the platform for good over 18 months ago. I didn’t like their dishonest CEO, their manipulation of users, and their blatant disregard for user privacy. Do I miss some of the people I was able to stay in touch with on Facebook? Yes, a few, but those most important to me know how to get in touch. Do I miss having to spend large chunks of my time clicking and reading memes and wishing high school classmates, who I haven’t seen in 40+ years, holiday and birthday wishes? No. I gained even more insight into Facebook’s amoral (or even immoral) stance on user privacy when I watched Hacked on Netflix, after I returned from L.A It’s a documentary about the inside workings of the Cambridge Analytica scandal, and that company’s eventual demise. There were a few revelations, like, if any ONE of your “Friends” on Facebook took one of those dumb personality tests or participated in other such ruses set up by Cambridge Analytica, then their data and the data of up to 500 of their “Friends” was collected, unknowingly and without consent, with up to 5,000 data points. Then those who were deemed as “convince-able” were bombarded with lies and misinformation to sway their vote in the 2016 U.S. Presidential election, and also, the Brexit vote. As we all know, Trump and Brexit were successful, but it was due in large part to the mass manipulation of trusting social media users. In the future, perhaps users will be more aware of these schemes, and will have control of their own data and privacy. Our grandchildren may say, “Once upon a time… there was no data privacy.”

NY PRIVACY ACT LOOKS TO SURPASS CALI’S CCPA BY ANDREW YSASI

he New York Privacy Act (NYPA, or New York Senate Bill 224) introduced by state senator Kevin Thomas is much more restrictive to corporations than the California Consumer Protection Act (CCPA). This is a strong indicator that states are starting the trend to follow Europe’s landmark privacy legislation, the General Data Protection Regulation (GDPR). First, the NYPA would allow citizens of New York to have control over the data companies use. New York consumers would have the right to see how their data is shared, request edits including deletion, and prevent their data from being shared with third parties. The NYPA would require companies to respond to requests in 30 days and provide a 12-month look-back period. Second, the NYPA would allow consumers to sue companies directly—unlike the CCPA. The CCPA attempted to have a private right to action (sue), but a provision to do so was voted down after extensive lobbying by Silicon Valley-based tech companies. Third, the proposed NYPA would impact ALL companies. The CCPA applies to organizations that have $25 million in annual gross revenue. The NYPA could place a large regulatory burden on small businesses and startups. The cost to manage consumer claims and the threat of litigation could cut deeply into the profits of small businesses. Presumably, technology companies such as Facebook, Google, Amazon, Apple, and Microsoft could be impacted the most by NYPA, and lobbyists certainly have their work cut out for them to mitigate the requirements of the NYPA. On June 4th, 2019, there was a public hearing for online privacy

and the role of legislation. At the hearing, Senator John C. Liu stated he supported the bill and that the U.S. Congress is sometimes slow to act––and that states can take the lead to protect the consumer. Ed Potrikus, the President and CEO of Retail Council of New York State, responde to Liu that this type of bill would be burdensome to retailers and he would oppose this bill at the state as well as federal level as written. IIt is likely the NYPA will be modified as written, but it has yet to be determined how far the Act will go to empower citizens of New York to control how their data is used. The other concern brought up at the hearing was discriminatory advertising practices that hurt consumers, such as African Americans not seeing housing ads, older citizens not seeing job ads, and other digital ads that could be used to discriminate. How sensitive data is defined in the Act and how opt-in is defined will likely determine the strength and power provided to citizens to bring a private action against companies. The privacy fight is far from over in New York, and the rest of the country is watching to determine how the legislature reacts. This Act also supports the trend that the federal government may provide the floor with basic privacy legislation, and states will take it upon themselves to strengthen privacy laws for their citizens. Editor’s Update: The NYPA failed to pass in a recent legislative session ANDREW YSASI, MS, FIP, FIIM, CIPM, CIPP, CISM, PMP, CRM, IGP, CIP IS VICE PRESIDENT OF ADVOCACY FOR VRC, AND IS PRESIDENT OF IG GURU® AN IG NEWS ORGANIZATION.

INFORMATION GOVERNANCE WORLD

INFORMATION PRIVACY

PROTECTING DIGITAL FOOTPRINTS WHILE YOU TRAVEL

n October 2018, Cathay Pacific Airlines announced in a tweet that it discovered “unauthorized access to some of our passenger data.” 1 The breach exposed dates of birth, passport numbers, home addresses, historical passenger travel data, and other vital information needed for travel. In subsequent weeks, investigators discovered the airline had undergone a sustained attack over three months. In a process known as an advanced persistent threat (APT), cybercriminals took the data of 9.4 million past and present Cathay Pacific passengers. To date, this represents the largest airline data breach. When combined with the growing number of compromised hotel chains,2 a serious threat for travelers has emerged. Cathay Pacific first detected intrusion into its IT infrastructure in March of 2018 and took immediate action to “head off” the breach. Unfortunately, it was too late. The effectiveness of an APT attack rests with the cybercriminal’s ability to hide in plain sight and monitor for and catch what information they deem as the target. So, for six months, the airline knew of an intrusion and potential data breach, but could do little until it found where the cybercriminals were hiding inside Cathay Pacific’s IT infrastructure. Meanwhile, travelers that used the airline during that six months had no idea their data was at risk. A broad lens of the issue reveals many Americans do not trust institutions that use and manage their personal data. However, as the Pew Research Center points out, “Cyberattacks and data breaches are facts of life for government agencies, businesses and individuals alike in today’s digitized and networked world.”3 Cybersecurity experts recommend password management software for securely managing the multiple passwords we use in our digital lives. Despite this, Pew found 86% of respondents used memorization to remember their passwords. These users tend to use passwords they easily remember. Unfortunately, cybercriminals know this and exploit it. Like other industries, such as banking and healthcare, the travel industry uses sophisticated electronic information systems for managing passenger itineraries and payment information. Known as global distribution

systems (GDS), passengers cannot remain anonymous; they must be able to authenticate their identity for security reasons. While there is little a traveler can do to avoid being part of the collection of GDSs that manage the travel industry, there are key things a passenger can do that will protect his or her personal data while travelling. SECURITY BY DESIGN When it comes to protecting your personal data while traveling, nothing should be taken for granted. Before doing anything else, travelers should understand that it is not possible to be too careful. Plan the trip with digital data security as a backdrop of safety. Cybercriminals are on the lookout for flaws in design. Some in the software industry employ the concept known as security by design. Margaret Rouse of TechTarget.com notes: “Security by design is an approach to software and hardware development that seeks to make systems as free of vulnerabilities and impervious to attack as possible.” Moreover, an “emphasis on building security into products counters the all-too-common tendency for security to be an afterthought in development.” Travelers might take for granted the systems they are relying on are secure. In fact, many travel-focused companies may only address existing vulnerabilities and patch security holes with reactive rather than proactive fixes. Travelers need to build security into their travel plans and not assume the businesses they deal with manage their personal data with user privacy in mind. KEEP TRAVEL EXPENSES SEPARATE FROM EVERYDAY EXPENSES Conceptualizing security by design can be challenging for the user who frequently employs easily remembered passwords. This is because the password strength needed for today’s security purposes needs to be strong enough that cybercriminals cannot figure them out. Therefore, it is unlikely that one could even remember the collection of characters needed for today’s password needs. Password managers are not a cure-all. Users still must be vigilant and keep their eyes open for suspicious use. This is much easier

REFERENCE: [1] https://twitter.com/cathaypacific/status/1055117720444854273 [2] For example, Marriott, Hyatt, InterContinental Hotel Group, and Hilton Worldwide. [3] Americans and Cybersecurity, Pew Research Center, January 26, 2017. https://www.pewinternet.org/2017/01/26/americans-andcybersecurity/ SUZANNE ROWAN KELLEHER. [4] 6 Ways You Put Your Data at Risk When You Travel December 6, 2018. https://www.cntraveler.com/ story/ways-you-put-your-data-at-risk-when-you-travel

INFOGOVWORLD.COM

“

We tend to tell people using Facebook where we are going and how long we will be gone. This is like holding a sign saying, ‘I’m vulnerable now’ so come hack my smartphone. ” with a password manager. Perhaps the most crucial element of a password manager is its ability to help us compartmentalize our digital lives. In other words, password managers help keep our healthcare data separate from our financial data. Travel data has its own purpose that should be separate from all other digital data. So, too, must a traveler separate travel expenses from everyday expenses. Cybersecurity experts recommend not using your everyday credit cards and getting one just for travelling. 4 Compartmentalizing your travel expenses from your everyday ones offers an extra layer of protection if the credit card is lost or stolen. MAXIMIZE THE SECURITY CAPABILITIES OF ALL YOUR CONNECTED DEVICES The Pew Research Center found that: “Many Americans fail to follow cybersecurity best practices in their own digital lives.” This carries over to mobile devices such as smartphones and tablets. According to Pew, 28% of Americans admit they do not use lock screens on their smartphones. Even though two- and three-party authentication is now the norm, many chose to bypass these added security features, opting instead for the easier solution. Those who use a cloud storage

service need to examine its security. While automatic syncing and uploading of those “precious moments” saves us time and streamlines our digital storage needs, this always-connected posture invites cybercriminals. Cloud users often forget that the connection between them and the cloud service depends on a strong password and device encryption. Do not give cybercriminals a back door by using a weak password that is easily hacked. Do not assume all your devices have encryption protection. While Apple and iOS have built encryption into their products, Android-based devices are playing catch-up. Devices that use Windows are not encrypted by default. The user must install an encryption program on his system. One particularly troubling aspect of our devices and smartphones is their ability to connect to wi-fi hotspots. Many of us have probably ensured that the “Ask to join a Network” option is changed to “automatic” once we trust the hotspot. This is a result of our routines as we live our lives, but many may not realize that automatically connecting to hotspots gives unauthorized users an invitation to come into our digital lives. An inventive cybercriminal could set up a “rogue” network to mimic a trusted network in hopes of trapping victims as they come into range. The easiest solution is to set up a personal hotspot with your smartphone. Even here a traveler must be careful and create

an access password that is strong and deters intruders. The safest option is a virtual private network (VPN). Installing a VPN on your smartphone means your identity is invisible while the device is connected to the Internet. This is an encrypted link to the Internet that only your devices can connect to. Once connected, the VPN continues to mask identity by creating anonymity. FINALLY, MASK YOUR SOCIAL MEDIA PRESENCE For many of us, our social media presences are integral parts of our lives. It is on platforms such as Facebook and Twitter that we socialize with friends and stay connected with family members. Because traveling and vacations do not happen on a regular basis, we tend to tell people using Facebook where we are going and how long we will be gone. This is like holding a sign saying, “I’m vulnerable now” so come hack my smartphone. INFORMATION GOVERNANCE WORLD

INFORMATION SECURITY NEW NETWORK MONITORING TOOL ADDRESSES MASSIVE DATA VOLUMES BY BAIRD BRUESEKE

he volume of network traffic inside today’s corporate environments is staggering. Monitoring this increasingly large volume of traffic for signs of malicious activity can be an overwhelmingly complex task. One strategy to deal with this situation is the implementation of technology that copies mirrored data to remote locations for archival, analysis, and potential use in future forensic investigations. ERSPAN ADDS LAYER 3 ROUTING TO NETWORK TRAFFIC ANALYSIS The Encapsulated Remote Switched Port Analyzer (ERSPAN) approach works like this: Computers and appliances mirror traffic on source ports and deliver the mirrored traffic to destination ports on another switch. The network traffic is encapsulated using Generic Routing Encapsulation (GRE) so that it becomes routable across a Layer 3 network as shown in the diagram below:

ETHER

GRE

Outer routable packet header using GRE (Generic Routing Encapsulation)

segment. The ability to instantly deliver network traffic data to the remote network segment for analysis is a key ERSPAN feature that improves network security capabilities. The use cases for ERSPAN include the analysis, diagnosis, and detection of malicious network traffic. The transfer of mirrored port data using Layer 3 protocols provides the network administrators and the InfoSec team with several options. They can: 1) Analyze the traffic offline in near realtime using deep packet inspection tools; 2) Extract metadata from the packet

B Regular Traffic

Dest

A Source

Switch

In this example of port mirroring, Host A sends traffic to Host B. A copy of the traffic is sent to the Sniffer, which is located in another (Layer 3) network 18

INFOGOVWORLD.COM

Mirrored Traffic

Sniffer

Cross Layer 3 Network headers, thus reducing scaling issues; and 3) Route the traffic to long-term storage to preserve a record of network activity for future forensic analysis.

ERSPAN

ERSPAN header w/ inner packet details

ETHER

Mirrored packet

The application of GRE to encapsulate mirrored packet data is shown in the diagram above. The ability to route mirrored packet data using Layer 3 protocols is extremely helpful to the InfoSec Team tasked with monitoring the network for malicious activity. The reality is that the sheer volume of network traffic makes 100% real-time monitoring cost prohibitive. So it is critical to mirror, capture, and store port traffic it for future analysis. ERSPAN technology meets this need by providing both encapsulation and Layer 3 routing capabilities. The implementation of ERSPAN enabled in Cloud environments with hundreds of virtual machines provides the InfoSec team with yet another tool to detect and identify unauthorized behavior on corporate networks.

“

The volume of network traffic inside today’s corporate environments is staggering.”

News

CYBERSECURITY MUST EXTEND TO YOUR SUPPLY CHAIN: HACK CREATES BORDER RISK

GOOGLE IS LISTENING IN - ACCIDENTALLY?

If you crossed the southern border of the U.S. into Mexico by car recently, your license plate information may have been compromised. Officials at U.S. Customs and Border Protection (CBP) said they were the victims of a “malicious cyberattack” that compromised around 100,000 license plate images. In a statement given to the press, CBP indicated, “none of the image data has been identified on the dark web or internet.” Those responsible for the cyberattack exploited a significant “hole” in cybersecurity, one faced by any company or agency that utilizes subcontractors and supply chains—they do not control the security used by subcontractors and third-party vendors. In the CBP cyberattack, a vendor in the image reader software supply chain downloaded the license plate images without authorization. The vendor’s network was then hacked, and the images were stolen from the vendor’s network. As the Times noted, there is little value to thieves looking for financial exploitation. The dangers come from potential tracking that license plate images provide to CBP and any entity that surveils individuals. Perhaps not ironically, just weeks earlier, privacy advocates (who support banning facial recognition scanners) testified before the House Committee on Oversight and Reform. The Hearing dovetails into a larger push by Homeland Security to scan all passengers at 20 of the nation’s largest airports. Irony and coincidence aside, the hole in CBP supply chain security is a classic case study on the potential dangers of incomplete supply chain security. While few question the need for surveillance at border crossings and airports, the public should feel secure in knowing the government is not abusing its surveillance capabilities. Going forward, high-profile targets such as border crossings and airports should be required through regulation to provide security all along the supply chain. The CBP attack is illustrative of a “passing the buck” mentality that puts our PII at risk. While some required supply chain security can be addressed with automation and logistics software applications, other aspects (such as policy surrounding access and use) should be addressed as part of a larger IG strategy.

Have you recently purchased a Google Nest? If so, you might want to know that the latest foray into home security was hiding something from you––microphones. And if you’re curious why you haven’t heard about it, then it shouldn’t surprise you to learn that Google “forgot” to tell you. Though the notion of forgetting to disclose something that is a feature and not a bug feels disingenuous at best. A statement from Google tried to distance the company from purposely misleading consumers:

DATA SAFETY INSIGHTS: SESSION REPLAY TECHNOLOGY The secretive world of data capture has invaded the iPhone. A recent study by Tech Crunch found that many popular apps are capturing user screen activity without consent. Many companies that use these apps monitor user activity, record it, and then send the information back to the company for analysis. These apps utilize session replay technology. Many privacy experts, such as Linn F. Freedman from Robinson & Cole LLP, only recently heard about session replay technology after Apple stated developers needed to disclose the use of this technology or remove it from their apps before the app could be distributed. This is not unlike Google, Facebook, and Amazon, who collect and retain user data about internet surfing habits. The best defense against these secretive practices is sunlight! Shine enough light on the subject, and everyone sees it. IG World will continue to bring these type of cybersecurity and privacy issues to your attention.

“The on-device microphone was never intended to be a secret and should have been listed in the tech specs. That was an error on our part. […] The microphone has never been on and is only activated when users specifically enable the option. It was installed in the devices in order to support future features ‘such as the ability to detect broken glass.’” While it is obvious that an error was made, the idea that a company steeped in user privacy violations inadvertently failed to include the microphone in the product specifications is laughable. Nest Secure retails at $399, which is quite a bit of money to spend in order to voluntarily be spied on for data-mining purposes (by simply using voice recognition technology). And with the announcement of Google assistance capabilities, the company revealed ineptitude and malice in equal measure. Those familiar with Google’s previous privacy issues (such as millions of dollars in fines for violating GDPR) will not be surprised to learn that the “accidental microphone” has been installed on the Nest since 2017, which seems to weaken the position of merely an oversight. And if privacy concerns weren’t bad enough, a hacker recently accessed a Nest Cam in the Bay area, convincing the family that the U.S. was under a nuclear attack carried out by North Korea. Another user in Arizona was the victim of a hacker taking over the Nest cam; and yet another breach in the same month saw a hacker threatening to kidnap a family’s child. If Google (or Facebook) is any indication, consumers will continue to look past privacy violations by Big Brother. INFORMATION GOVERNANCE WORLD

INTERVIEW BY ROBERT SMALLWOOD | PORTRAITS BY JESSICA LINDSAY

IG DOWN

SUSAN BENNETT IS A LEADING Information Governance expert and an international privacy lawyer, based in Sydney, Australia. She established her own business seven years ago, Sibenco Legal & Advisory, and subsequently Information Governance ANZ. Prior to this, Susan spent over 20 years specializing in large-scale commercial litigation, inquiries, and royal commissions. Susan holds a Master of Law and a Master of Business Administration, and is a Certified Information Privacy Professional (CIPP/E). She is also Chair of the Sedona WG6 APAC Committee and a Fellow of the Governance Institute of Australia.

UNDER: INTERVIEW WITH

SUSAN BENNETT

INFOGOVWORLD.COM

IGW: Where did you grow up in Australia and begin your career? I grew up on a farm in Tasmania, which is an island state to the south of mainland Australia. The farm is in the northern part of the state, called Ashgrove Farms, and is predominantly a dairying farm with a milk and cheese factory. It is also on the â&#x20AC;&#x153;Cradle to Coastâ&#x20AC;? tourist trail. While the cows can on many days be seen in paddocks surrounding the factory and going to and from the dairy for milking in a very long line, there are also painted art cows outside the Ashgrove Farm Store (see photo). In my photo of the calves on the farm, you can see Mt. Roland in the background, which is part of a range defining the start of the central highlands of Tasmania. Within this region is the famous Cradle Mountain and Dove Lake-protected World Heritage Area. I was the first person in my family to attend university and graduated in law from the University of Tasmania. The Law School is in Hobart, which is the capital of Tasmania. Hobart was the second colony to be established by the British after Sydney. It was a penal colony; about 70,000 convicts (including some of my Irish and English forbearers) were sent to Tasmania. As a consequence, Tasmania has a lot of interesting colonial history and Georgian architecture (thanks to convict labor).

Susan Bennett

INFORMATION GOVERNANCE WORLD

What experiences did you have early on as a lawyer? And what changes in technology and law have you seen? After finishing Law School in Tasmania, I moved to Sydney and did my practical training course at the College of Law, and was admitted the Supreme Court of New South Wales, the Federal Court of Australia, and the High Court of Australiaâ&#x20AC;&#x201D;all a long time ago now! When I commenced as a lawyer, my secretary took dictation; and while there were word processors, Australia had only been connected to the Internet for 18 months. Email was still several years away for law firms. The 22

INFOGOVWORLD.COM

technology to enable eDiscovery had not yet been developed. I was a user of the initial versions of several eDiscovery technology tools (particularly Ringtail, which is an Australian product) and established a legal technology support team to support litigation matters and due diligence in M&As. Australia was an early leader in records management, and has been a leader in eDiscovery technology tools as well, including Nuix, Ringtail, and EDT. I was involved in one of the earliest commercial litigation trials in London that used live transcriptionâ&#x20AC;&#x201D;that was back in 1995. I was also involved in the first fully electronic trial

technology tools and, in particular, the development of AI capabilities in eDiscovery software is impressive. The use of Technology Assisted Review (TAR), which is AI in eDiscovery, has been an enormous step forward in dealing with the vast data stored by organizations and being able to comply with discovery or production orders in a technologically efficient and cost-effective way.

“THE CONCEPT OF IG AS A DISCIPLINE AND PRACTICE IMMEDIATELY RESONATED WITH ME.”

in a major commercial litigation case in the New South Wales Supreme Court, which was in 2000-2001. As is often the case with technology, it takes time and improvements, both to the technology and with the skills of users, before the full extent of the benefits are realized. The first electronic trial was also accompanied by multiple sets of an initial 165-folder trial bundle set, and there were multiple hard-copy printouts of the transcript made each day over the course of a 12-month hearing. The first few electronic hearings experienced more than a few teething problems! The continuing improvement of litigation legal

What led you into the world of Information Governance? The short answer is when I first heard about IG in 2014. At a conference I attended a conference in Europe and there were a couple of sessions on IG; one of the keynotes was given by U.S.-based attorney Jason R. Baron, an eDiscovery and IG pioneer. The concept of IG as a discipline and practice immediately resonated with me and accorded with some work that I was undertaking. Jason encouraged me to write my first article on IG (published in May 2015) on the importance of top-down leadership, which I believe is key to setting an enterprise-wide strategy and ensuring effective IG implementation. The services I provided in Corporate Governance then extended to Information Governance. This now includes frameworks, policies, and processes to manage the exponential growth in data within organizations, focusing on the needs of the organization from a strategic perspective. At a more granular level, it also includes privacy frameworks, privacy impact assessments, and data impact assessments for data analytics projects, including an ethical-based assessment as part of the overall assessment framework. The growth in legal work in data protection and privacy is due to technology developments and increasing global privacy regulation. What led you to establish Information Governance ANZ? As there was very limited discussion in corporate Australia at the time about IG, we thought it was important to promote discussion and best practices around IG, which led to InfoGovANZ being established just over three years ago. The idea is that by building a network of multidisciplinary professionals, information silos will be broken down, enabling more connected thinking and innovation leading to IG best practices. This, in turn, will promote the delivery of better outcomes for organizations by both minimizing risk and maximizing the value of the information held within organizations. The InfoGovANZ community provides a forum to learn from leading practitioners, keep informed of the latest developments, and shape the future development of IG. Our goals are to: • Build the knowledge of IG, best practices, and innovation • Ensure professional discipline of IG is recognized as a key component to managing the exponential rise in data in the information age • Create a community of IG professionals in Australia and New Zealand INFORMATION GOVERNANCE WORLD

While our membership is predominantly based in Australia and New Zealand, we do encourage members from anywhere to join. Our membership is free and our events and activities are supported and made possible by our sponsors, which currently include Active Navigation, Nuix, FTI Consulting, and Western Sydney University, which offers a Masters of Information Governance. As previously mentioned, a driving force behind establishing InfoGovANZ was to bring together professionals across different disciplines to break down ‘information silos’ within organizations. A key challenge for organizations in maximizing the benefits of new technology opportunities is to have the right people and skill sets involved in initiatives from the outset. For example, in data analytics initiatives and opportunities to deliver the best outcomes while utilizing the latest technology requires effective collaboration among a broad range of skills sets including: cybersecurity, data set subject matter experts, data scientists, privacy, project management, risk management, and stakeholders. Who are some InfoGov ANZ affiliates? We are affiliated with a number of associations including the IGI (Information Governance Initiative), ILTA, RIMPA (the “ARMA of Australia”), and DAMA––and we promote each other’s events. We recently participated as part of Information Awareness Month with National Archives and other professional organizations including RIMPA, IM, DAMA, Australian Society of Archivists, and the Australian Library and Information Association in a roundtable workshop. The event provided an opportunity for industry leaders to share perspectives on contemporary information and data management trends and challenges. The Many Voices, One Message booklet summarizing the key themes and topics discussed at the workshop has been published and it is anticipated to lead to ongoing discussion and collaboration. What are some major challenges of governing emerging technologies? I believe a key challenge is properly understanding both the scope and limits of new technology. The issue of having the right capabilities and skills to use the technology is infrequently properly considered. Sometimes, it is less about what software or new technology you are using and more about having the right skill set using it. Another important consideration at the outset, before acquiring or deploying new technology or new data projects, is considering and mitigating risks, including thinking about unintended consequences and mitigating those risks. For instance, the risk of AI algorithmic bias and potential adverse consequences is very real, particularly as data sets are shared and aggregated. The focus and resourcing should be at the planning stage with emphasis on security-by-design and privacy-by-design, as well as project goals from the business perspective. This is a far more efficient approach rather than trying to cover privacy compliance as an afterthought or when things go wrong. 24

INFOGOVWORLD.COM

Digital transformations require organizations to be proactive in security and privacy with robust leadership. Waiting until there is a data breach or a big regulatory fine and then having to invest far more resources and costs into remediation, responding to regulatory investigations, and litigation costs is an expensive way to do business and not good for the organization itself (or its shareholders and stakeholders). Would you tell us about your latest trip to the U.S.? So far, I’ve had two trips to the U.S. this year. My latest trip started with the Infonomics Summit in Chicago, sponsored by IG World. This was a very interesting day. As a lawyer and governance practitioner, I spend most of my time focused on mitigating risk. The focus of this summit was on maximizing the value of data. It was great to meet Doug Laney, the keynote speaker, who very kindly the following day invited Neil Calvert from New Zealandbased LINQ Solutions (infonomics software) and myself as the Antipodean attendees to his neighborhood for lunch. I then attended my first MER Conference, where I spoke on the topic of “Privacy, Ethics, and Trust: The Role of Information Governance.” I was looked after by InfoGovANZ’s sponsor Active Navigation. Peter Baumnann, the CEO, is very thoughtful to include me in dinners and ensures I’ve met new members of the ever-growing ActiveNav team. I’ve also made other friends along the way in the U.S. and run into people unexpectedly at events, particularly Sedona friends, and it is great to catch up. MER was then followed by the CIGO Summit, where Jason Baron interviewed me on “Asia-Pacific Privacy Law,” which was part of the section of the summit dealing with all things GDPR and CCPA. It was great to be able to catch up with Barclay Blair and the IGI guys. I then spent a couple of days in NYC catching up with friends and attending several Broadway productions. I finally made it to the Cybersecurity and Privacy Protection Conference 2019 and was a panel member on “GDPR and International Compliance,” which was held at Cleveland-Marshall College of Law, Cleveland State University. I spoke at this conference last year and it is interesting to reflect on the difference in discussion between last year when the GDPR was just coming into force and a year later with impending large fines likely (that are now happening), as well as the CCPA and eight amendment bills with 11 other state privacy laws being considered. A lot has happened in 12 months from the U.S.’s perspective, and it is a similar story in Asia where there are new privacy laws and expected further privacy laws before the end of 2019. The GDPR has definitely set a new global benchmark and will create a lot of work for privacy professionals and lawyers in the coming years. Tell us about your love for the arts, and why you are such an ardent supporter. One of the joys of traveling is seeing and learning about new things. The highlights are more often than not unexpected

“THE RISK OF AI ALGORITHMIC BIAS AND POTENTIAL ADVERSE CONSEQUENCES IS VERY REAL, PARTICULARLY AS DATA SETS ARE SHARED AND AGGREGATED ”

INFORMATION GOVERNANCE WORLD

SYDNEY OPERA HOUSE

ASHGROVE FARMS, TASMANIA

ART COW, ASHGROVE FARM STORE, TASMANIA

HOBART, TASMANIA AUSTRALIA PHOTOS BY SUSAN BENNETT

TIERGARTEN, BERLIN

SPECIAL THANKS

INFOGOVWORLD.COM

JESSICA LINDSAY is a freelance photographer based in Sydney. Her work has been published in Harpers Bazaar, Frankie, Smith Journal, Country Style Magazine, Adore Home, Time Out Magazine, The Starter Kitchen Cookbook, Chasing the Sky: 20 Stories of Women in Architecture, O, The Oprah Magazine, Lonely Planet, The Guardian, The Sydney Morning Herald and on Yellow Trace. Jessicaâ&#x20AC;&#x2122;s clients include: the Royal Botanic Gardens, Mercedes Benz Vans, Lonely Planet, Telstra, The Athletes Foot, ABN AMRO, Westpac, Bank of Queensland, Oscar Wylee, Clinical Excellence Commission, Australian Institute of Architects, Bondi Rescue and OzHarvest. Jessica is a contributor to The Precedent and a photographer for The City of Sydney. jessicalindsay.com.au

surprises. In trying to find decent coffee in St Petersburg, Florida, I found myself at the Frieda Kahlo exhibition at the Salvador Dali museum and proceeded to spend most of the day viewing extraordinary artwork. I was so inspired by Salvador Dali that I have a presentation that includes his painting the “Hallucinogenic Toreador” to explain the quagmire confronting organizations. The surrealist painting is a good way to explain the different perspectives of data collection, use, and storage from those using and responsible for the data in different parts of the organization and why you need an overarching IG framework. I also have a presentation on leadership in times of rapid innovation and technological change, which has extensive references to the book and film Hidden Figures. On a side trip from Chicago to Detroit with friends, to go somewhere different, we visited the Motown museum. I was surprised when we arrived to see a suburban house, which was the hit-making factory synonymous with the Motown name. So much extraordinary Motown music emanated from Studio A. It was also incredibly interesting seeing empty, but amazing art deco buildings and the truly extraordinary Diego Rivera frescoes depicting work and workers at the Ford factory at the Detroit Institute of Arts. I am passionate about music, which is definitely food for the soul. I enjoy a very wide range of music and singing. I grew up playing piano, so I had a basic foundation in classical music and also learned guitar. The photo of me

“THE FOCUS AND RESOURCING SHOULD BE AT THE PLANNING STAGE WITH EMPHASIS ON SECURITY-BYDESIGN AND PRIVACY-BY-DESIGN.” in front of a monument to the classical composers— Beethoven, Haydn, and Mozart—was in Berlin. We were walking through the Tiergarten when we just came across this stunning monument to the three great composers. I recently attended the premiere of a new opera in Sydney called Whiteley, which is about a modern Australian artist who died of a heroin overdose when he was 53. It’s interesting to see technology being used in the production: the Opera House has huge LED screens that move around the stage. In this latest opera, displays of Brett Whiteley’s art are displayed on the LED screens and take the production to a new level with the wonderful singing and orchestra. New operas are quite rare and it is fantastic to see a new Australian opera in the iconic Sydney Opera House, which is within walking distance of where I live. My Twitter and LinkedIn profiles have the background photo of the Sydney Opera House and so I have provided a photo for this article. I hope I have enticed some of your readers to come and visit Sydney and Tasmania! INFORMATION GOVERNANCE WORLD

World-class Instructor-Led Classroom Training on IG with Leading IG Trainer Robert Smallwood Attend this popular classroom course held at one of the most beautiful college campuses in the world, the University of Miami, near the Atlantic Ocean. Taught by IG thought leader Robert Smallwood, the world’s leading trainer and author on IG topics, students get personal attention to ensure they grasp key IG concepts and can apply them to their work. The first day covers IG Basics including the IGP Certification Prep Crash Course, followed by two days of Advanced IG Training. The course is based on Smallwood’s groundbreaking text, Information Governance (Wiley, 2014, 2019), and also supplemental course materials.

Take advantage of this exclusive training opportunity to educate your IG team! Seating is limited, reserve yours today at IGTraining.com, or call us at 888-325-5914! “I really got a lot of out of Mr. Smallwood’s teaching style and personal attention.”

“Thank you to Robert Smallwood for providing us with so much insightful information, and the tips we will need to pass the IGP certification.”

“The 3-day training was very educational, and the small classroom environment made it even more interactive.”

—IG Manager, Top 10 U.S. Law Firm

— IG & Compliance Manager, Major Pharmaceutical Firm

—RIM Manager, Fortune 500 Corporation

Past attendees include IG professionals from major law firms, leading corporations, and large government agencies, including:

IG Training 3 Day Basic & Advanced Intensive Course

University of Miami November 19-21, 2019 (Tues-Thur)

Topics Include: • Failures & Lessons Learned in IG • GDPR, Big Data Impact • IG Imperative • IG Principles • Role of Data Governance in IG • IG Risk Assessments • Strategic Planning for IG • IG Policy Development

• IG Program Management • Infonomics: The Value Side of IG • IG for Legal Functions & E-discovery • IG for RIM • IG for IT • Privacy Functions in IG • IG for Email, Social, Mobile, Cloud • SharePoint IG

Tuition Cost: $1,695* (Group discounts are available for 3 or more from the same company.)

Includes: Tuition, Breakfasts, Coffee Breaks, and Supplemental Materials. NOTE: You must purchase the textbook prior to class. Housing options include nearby hotels in partnership with USD.

• Digital Preservation • Information Asset Registers • Taxonomies & Metadata • Cybersecurity in IG • IG for Emerging Technologies • The Role of Executive Sponsorship in IG • IG Best Practices • Developing Key Metrics for IG Programs

ANALYTICS & INFONOMICS

P O RT R A I T B Y I S I A K A H O ME

INFORMATION: THE FORGOTTEN ASSET BY DOUG LANEY

ver fifty centuries ago, a man received 29,086 measures of barley over 37 months. He documented this transaction on a clay tablet, then he signed it, “Kushim.” Kushim is the first person in history whose name we know according to Yuval Noah Harari’s book Sapiens: A Brief History of Humankind. Kushim was neither a king nor a prophet nor a warrior nor a poet. Instead, he was an accountant or so it would seem. The tablet found in Mesopotamia (modern Iraq) has various dots, boxes, sheaves of grain pressed into it with a wedge-shaped stylus. It appears to record a business deal.1 Kings, prophets, and even deities come and go. But keeping track of your grain, your workforce (slaves back then), and your gold has been a constant throughout civilization, and across civilizations. Tens of thousands of other clay tablets found dating back even centuries earlier record payments in cattle, shipments of cattle for fattening, gifts of cattle to the temple as an offering, years of feeding barley to donkeys, and even how the government taxed its people.2 Known recordkeeping goes back even further to simple tokens and clay balls with various shapes representing different kinds of inventory found in Jericho near the West bank of the Jordan River some 11,000 years ago. It took about another 6,000 years for the abacus to first appear in Sumeria even before the modern numerical system.3 Some ten centuries later, papyrus became popular for tax receipts, court documentation, and other recordkeeping. In ancient Egypt, the accountant was called the “eyes and ears” of the king.4 Unlike present-century banksters, who avoid punishments other than a slap on the wrist for their complicity in crashing an entire economy, royal auditors of ancient Egypt imposed severe, even capital, punishment for accounting irregularities.5 It wasn’t until another 2000 or so years had passed when not only the transactions themselves were recorded, but when transaction laws were codified. The Code of Hammurabi, created in Babylon around 1760 BCE, is a seven-and-a-half feet tall stele of volcanic basalt (i.e., bigger even than the US Tax Code!). The Code of Hammurabi had 282 laws chiseled into it with various levels of

INFOGOVWORLD.COM

punishments, such as the infamous “an eye for an eye” over a thousand years before it later appeared in the Hebrew Bible. These laws deal with contracts, wages, liability, and household and family matters (including sexual behavior).6 Another 500 years later, we begin to see the first artificial, yet more highly exchangeable representations of value. Around 1100 BCE the Chinese started using miniature replicas of items cast in bronze to represent the transfer of ownership of the actual objects themselves. Over time, these replicas were abandoned in favor of more uniform circles— the first coins. And in another 500 or so years, Lydia’s King Alyattes minted the first official currency, in present-day Turkey. These coins were stamped with pictures of snakes, lions, owls, and roosters denoting their denomination. About the same time back in China, they were evolving to use paper money. Around the time Marco Polo visited China in 1200 AD, the emperor had become quite adept at managing the money supply. Instead of “In God We Trust” as is inscribed on American currency, his currency ominously cautioned, “All counterfeiters will be decapitated.”7 To find the next significant accounting innovation, we need to fast-forward nearly two thousand years through the Dark and Middle Ages. One of the greatest and least known significant characters of the Renaissance is a Venetian merchant and mathematician named Luca Pacioli. Disgusted by the state of mathematics in Italy, Pacioli, two years after Columbus “discovered” the New World, published the book, Summa de Arithmetica, Geometria, Proportioni et Proportionalita (The Collected Knowledge of Arithmetic, Geometry, Proportion, and Proportionality). Buried in this tome is one section that made Pacioli famous and is celebrated by accountants today, Particularis de Computis et Scripturis, a treatise on accounting, in which he becomes the first person to detail double-entry accounting, known then as “the Venetian Method,” which had been used for the past couple hundred years.8 After his accounting manual opens with a listing of the three key components needed by anyone wishing to carry on an enterprise (capital, a good accountant, proper internal control), he wrote, “quanto alor debito e anche credito” or “whenever there is a debit entry there is also a credit entry.” This 1494 publication remains the basis of modern-day accounting: a company’s credits must balance its debits.9

Doug Laney

INFORMATION GOVERNANCE WORLD

ANALYTICS & INFONOMICS Some 300 years later, a potter in the north of England built the world’s first industrialized pottery factory. Josiah Wedgwood (incidentally, Charles Darwin’s grandfather) capitalized on the demand for luxury goods by a new upwardly mobile class, enabling him to charge exorbitantly for his products. But during the recession of 1772, as demand for his pottery relaxed, Wedgwood turned to his accounting books to solve the problem of reduced cash flow and increased inventory. From these double-entry accounting records, he was able to calculate the cost of “every expense of Vase making” to determine whether to cut prices or production, therein inventing what we call today cost accounting. In turn, he learned how to distinguish between fixed and variable costs and how to uncover fraud within his company. Until this time, profit and loss had been merely generalized concepts.10 Speaking of fraud, it took another century for accountants to formalize the integration of factory production and commerce into a single set of books. Around the same time, the first accountancies were formed. A London railway and hotel accountant named William Welch Deloitte had gained a reputation for developing standards for these industries. At only 25 years old in 1845 he formed an accounting practice and was tapped to unravel the infamous frauds at the Great Northern Railway and Great Eastern Steamship Company. The next major accounting innovation comes another 60 years later. In 1914 a young salesman at DuPont named Donaldson Brown unwittingly created a simple formula for assessing and benchmarking

business performance by combining investments, working capital, and earnings. The “DuPont Equation” is used today by every business in the world and is better known as Return on Investment.11 ROI= (Gain from Investment - Cost of Investment) Cost of Investment

A couple of decades later, in response to The Great Depression, a committee chartered by the nascent Security and Exchange Commission (SEC) was tasked with standardizing financial statements. Until that time, both public and private companies could disclose what they wanted, however they wanted. This lack of consistency was blamed in part for investor confusion leading to the market crash. Part of these standards included homogenizing the set of recognized asset classes to be reported. Information, of course, was not one of these asset classes, because it wasn’t until some fifteen years later that the inklings of the information age emerged when the accounting firm Arthur Andersen computerized the payroll system for a General Electric plant. Only then was the idea hatched that information could be an item separable from its physical manifestation—the paper (e.g., book, magazine, ledger) it was printed upon. INFORMATION IS STILL NOT CLASSIFIED AS AN ASSET So, here we are today, some 60 years after the beginning of the Information Age, yet the namesake of this age, and the major asset driving today’s economy, information, is still not considered an accounting

REFERENCE: [1] http://phenomena.nationalgeographic.com/2015/08/19/whos-the-first-person-in-historywhose-name-we-know/ [2] http://international.loc.gov/intldl/cuneihtml/gazette.html [3] http://www. investopedia.com/articles/financialcareers/09/ancient-accounting.asp [4] https://is.vsfs.cz/el/6410/zima2013/ NA_AS/Accounting_History_for_students.pdf [5] http://www.investopedia.com/articles/financialcareers/09/ ancient-accounting.asp [6] http://www.louvre.fr/en/oeuvre-notices/law-code-hammurabi-king-babylon [7] http://www.investopedia.com/articles/07/roots_of_money.asp [8] Accounting History From the Renaissance to the Present: A remembrance of Luca Pacioli, T.A. Lee et al, Routledge, 1996 (http://www.amazon.com/exec/ obidos/ISBN%3D0815322712/flynflesherA/) [9] https://partners-network.com/2012/04/10/luca-pacioli-fatherof-accounting/ [10] http://www.bloombergview.com/articles/2013-04-18/how-a-potter-took-accounting-intothe-industrial-age [11] http://www.hagley.org/librarynews/research-donaldson-brown-father-roi

INFOGOVWORLD.COM

asset. Even though information meets the accounting criteria of one: information can be owned and controlled, it is exchangeable for cash, and it generates economic value. Ironically, while information is at the crux of accounting and has been for millennia, even in today’s information economy, it is not something accounted for itself. Regardless of the accounting profession’s antiquated notions of what is and isn’t an asset, it’s imperative in today’s economy for organizations to treat information as an actual enterprise asset—including accounting for it. At least internally, for now.

“

Regardless of the accounting profession’s antiquated notions of what is and isn’t an asset, it’s imperative in today’s economy for organizations to treat information as an actual enterprise asset—including accounting for it.” DOUG LANEY LEADS CASERTA’S DATA AND ANALYTICS STRATEGY PRACTICE AND IS THE AUTHOR OF THE BEST-SELLING BOOK: “INFONOMICS: HOW TO MONETIZE, MANAGE, AND MEASURE INFORMATION AS AN ASSET FOR COMPETITIVE ADVANTAGE,” WHICH FEATURES THE INFORMATION VALUATION MODELS HE DEVELOPED. HE ALSO IS A VISITING PROFESSOR AT THE UNIVERSITY OF ILLINOIS GIES SCHOOL OF BUSINESS AND A THREE-TIME GARTNER THOUGHT LEADERSHIP AWARD RECIPIENT. HE MAY BE REACHED AT DOUG. LANEY@CASERTA.COM.

LINQ brings infonomics to life.

LINQ enables businesses to learn the true business value of their information, and evaluate the impact of changes to the data, systems, and processes to maximize business value.

S E E M OR E AT: WWW. L I N Q . I T

RISK & COMPLIANCE CCPA SURVEY BY IAPP SUMMARY RESULTS The passing of the California Consumer Protection Act (CCPA), surprised many, even privacy professionals. Its quick journey into becoming a California law will have a far-reaching impact on many U.S. businesses. The CCPA wasn’t without issues, such as a number of drafting errors. Couple this with a possible federal mandate coming that could supersede this piece of state legislation, and you might understand why many organizations were dragging their feet at first in terms of compliance. However, two dates loom large: January 1, 2020 and July 1, 2020. The law takes effect on that first date, and the second date represents when that law becomes enforceable. With that in mind, organizations need to take CCPA seriously and get on board with compliance preparation. The IAPP and OneTrust decided to survey U.S. privacy professionals about CCPA and their findings were interesting, to say the least. A LACK OF PREPAREDNESS The IAPP had privacy professionals rank preparedness on a scale of 0 to 10; the average response was only 4.75. This paints a picture of more than half of organizations not being ready to implement the CCPA. Most organizations cited “a lack of time and bandwidth” followed by the “complexity of the law” as to why they aren’t as prepared as they should be. With the very public spotlight on privacy concerns and the inevitability of compliance, privacy professionals will have to find a way to overcome this lack of preparedness or risk damaging the reputations of their organizations.

Interestingly, some industries are faring better than others in terms of preparedness. For instance, professionals in the software and services industry in particular tend to rate their companies’ level of preparedness for the CCPA higher than average, while those who work in the banking industry tended to rate their companies’ CCPA preparedness slightly below average. Most organizations aren’t prepared to be compliant by the July 1st, 2020 enforcement date, but most plan on ramping up in the first half of 2020. It should come as no surprise that the organizations that are confident in their CCPA preparation were more likely to report compliance confidence by July 2020. 55% of organizations have set their CCPA compliance target date by the end of this year, 80% by July 2020 50%

Before Jan. 1, 2020 Before July 1, 2020 We do not have a timeline for compliance Before July 1, 2019 After July 1, 2020 Don’t know

50%

38% 25%

25%

11%

13%

Question: Approximately when do you expect your organization to be in full compliance with the CCPA?

Source: IAPP and OneTrust 2019 Survey

Snapshot: Organizations are about halfway to CCPA compliance Firms that are highly prepared for CCPA now are likely to have set earlier compliance target dates

39%

40% 34%

30%

26%

When do you expect to be in compliance with the CCPA?

20%

By July 1, 2019

10%

Don’t Know

Current CCPA preparedness level

low (0-3)

medium (4-6)

high (7-10)

Question: On a scale of 0-10 (with 0 being “have not started to prepare” and 10 being “fully prepared), how would you rate your organization’s current level of preparedness for the CCPA?

Source: IAPP and OneTrust 2019 Survey 34

By Jan. 1, By July, 1, After July, 1, No 2020 2020 2020 Timeline

INFOGOVWORLD.COM

0-3 (low) 4-6 (medium) 7-10 (high) Overall

0% 1% 17% 5%

34% 57% 61% 50%

31% 26% 17% 25%

11% 2% 0% 4%

22% 7% 3% 11%

Source: IAPP and OneTrust 2019 Survey

3% 7% 2% 4%

Lack of time, lack of budget, lack of knowledge (or training and tools), lack of internal support, and the complexity of the law were all outlined as obstacles privacy professional see to timely CCPA compliance. The new consumer privacy rights and the sheer scope of the CCPA had a lot of respondents feeling backed against the wall. Lack of time/bandwidth and the complexity of the law are proving to be the greatest obstacles to CCPA compliance

3.6

3.5

Lack of time/bandwidth Complexity of the law Lack of budget Lack of knowledge, training, tools Lack of internal support from leadership or other

One thing is startlingly clear based on IAPP’s findings: All that GDPR preparation paid off. Even though there are key differences, GDPR provided a roadmap for how organizations should approach compliance deadlines, especially since many of the obligations are similar (though not all). IAPP asked respondents to what extent GDPR preparation helped their ability to comply with CCPA. The findings were interesting: In trying to become CCPA compliant, 30% of organizations are not leveraging their previous GPDR compliance efforts at all 30%

30%

2.8

2.7

2.6

2.4

1.8

23% 17%

15%

10% .9

Question: On a scale of 0-10 (with 0 being “not at all” and 10 being “fully”), how much are you leveraging your GDPR compliance efforts to comply with CCPA?

Source: IAPP and OneTrust 2019 Survey

Compliance can impact reputation, and therefore brand equity. When asked about the factors motivating them, sanctions and enforcement were toward the bottom. Most cited their organization’s “reputation as the biggest motivator for complying with the new law, followed by the desire to protect consumer privacy.” IAPP’s findings here support the industry-wide notion that “privacy and data protection is central to the organization’s brand.” Concerns about reputation and protecting consumer privacy are the primary motivators for CCPA compliance

4.4

Reputation Protection of consumer privacy Concern about sanctions and enforcement actions Being seen as more compliant than our competitors Leveraging GDPR compliance efforts 4.3

3.9

3.6

It makes sense that the organizations that were compliant with GDPR would be better prepared for CCPA compliance. The same goes for those organizations that have low GDPR compliance being less prepared to meet the 2020 compliance deadlines for CCPA. Firms that are not GDPR compliant are also less likely to have a timeline in place for CCPA compliance

3.4

3.3

3.1

When do you expect to be in compliance with the CCPA?

2.2

By July 1, 2019

1.1

By Jan. 1, By July, 1, After July, 1, No 2020 2020 2020 Timeline

Don’t Know

Current level of GDPR compliance

Question: Please rate the following factors in terms of how much of a motivator they are to your efforts to comply with CCPA.

Source: IAPP and OneTrust 2019 Survey

0-3 (low) 4-6 (medium) 7-10 (high)

0% 0% 8%

0% 35% 51%

20% 12% 27%

11% 6% 2%

22% 35% 7%

3% 12% 3%

Source: IAPP and OneTrust 2019 Survey INFORMATION GOVERNANCE WORLD

RISK & COMPLIANCE TAKE-HOME MESSAGE CCPA compliance deadlines are right around the corner, and most privacy professionals and organizations feel woefully underprepared. The reasons range from a lack of time and bandwidth all the way though legal complexity. But the early steps in CCPA compliance are actually the same ones that organizations must undertake when rolling out IG programs, that is, they must conduct an inventory of their information assets, and create a data map of where all information is stored. So good IG practices form the foundation for good privacy compliance practices. It’s important to remember that CCPA is here to protect consumers, and organizations have a responsibility to comply; otherwise, their reputation could take a hit.

“

Good IG practices form the foundation for good privacy compliance practices.” GDPR served as groundwork for compliance (given that there are similar obligations involved), but organizations need to understand the similarities and differences in order to leverage anything they gained from GDPR compliance. In the end, CCPA represents a sea change for U.S. consumer privacy, and we’re all going to be better for it: consumers gain more control over their personally identifiable information (PII), and IG and privacy professionals get to put their skills to work. 36

INFOGOVWORLD.COM

IG ANZ 2019 IG SURVEY BY BAIRD BRUESEKE

nfoGovANZ is an organization founded to further the adoption of IG principles and practices in Australia and New Zealand. IGANZ (www. infogovanz.com) conducted its first IG survey in 2017. This year, they repeated the IG survey and the results provide an interesting insight into the growing maturity of IG programs in the region. The 2019 survey collected results from 340 industry professionals. InfoGovANZ requested and received cooperation from a number of organizations whose members submitted survey responses. This outreach enabled IG ANG to include responses from a broad range of professionals in their survey results:

AREAS OF ENGAGEMENT CYBERSECURITY / IT SECURITY 27% DATA ANALYTICS 32% DATA GOVERNANCE 58% EDISCOVERY 20% PRIVACY 38% RISK / COMPLIANCE 34% RECORDS MANAGEMENT 69% LEGAL 15% © 2019 Information Governance ANZ PTY LTD

The three main drivers of IG projects were identified as: 1. Good Business Management Practices (up 16% from 2017) 2. External Regulatory, Compliance, or Legal Obligations 3. Internal Technology Restructuring or Transition. The IG Survey results highlight the fact that a significant number (46%) of organizations are using an IG framework to guide their IG programs. The survey identified these activities and solutions as the most important in their IG projects: Implementing an IG framework 46.0% Compliance with Privacy Regulations 16.2% Data Loss Prevention 10.4% Big Data Analytics 6.8% Decommissioning an archive or system 2.3% Other 6.9% Other factors which are significant drivers of IG projects include changes in privacy laws such as GDPR and Australia’s Notifiable Data Breach Scheme, with 42% of respondents indicating that the new regulatory environment is driving their IG projects. IG Maturity was a metric that offers insight when compared with the 2017 results.

IG Program Maturity Level

2017%

2019%

%change

Advanced (well-developed, comprehensive, organization-wide processes in place)

Intermediate (established, but still developing)

Recently Formed

-2

Non-existent

Out of Date

-2

Don’t Know

-7

Combined, the Advanced and Intermediate IG Maturity levels in 2019 total 54%, a 7% increase over 2017. Interestingly, this increase in Maturity corresponds with the 7% decrease in those respondents who did not know the Maturity level of their IG program. When asked to rate their organization’s approach to IG programs, the responses indicated a fairly even split between proactive and reactive approaches:

2019

2017

Proactive, planning and going

49% 47%

Up 2%

Reactive, event-driven and unplanned

44% 37%

Up 7%

Don’t know

7% 16% 0%

10%

20%

Down 9% 30%

40%

50%

It is possible that these results correlate with the responses to IG leadership. For example, when asked if a Chief Information Governance Officer is essential to IG Success, 56% said ‘Yes’, 14% said ‘No,’ and 30% were on the fence. In another question, respondents were asked if their organization had addressed IG leadership. In this case, the answers were: 35% ‘Yes’, 47% ‘No,’ and 18% ‘Don’t Know.’ The 47% of organizations whose representative answered ‘No’ to the leadership question are likely a big part of the 44% whose approach to IG programs is reactive. Another question about IG leadership asked if the individual accountable for IG in the organization was a peer of the C-Suite (senior executives). The responses were: 41% ‘Yes,’ 46% ‘No,’ and 13% ‘Don’t Know.’ The 46% of respondents who answered ‘No’ to this question are also likely to be members of the organizations whose responses are reactive. Overall, these results highlight the key aspect of Executive Leadership in IG program success. The final survey question points to good news for the IG Market space: 33% of organizations plan to increase their IG spending, a response which increased 7% over 2017. The information presented in this article was taken from the IG Industry Survey, July 2019 Report. The full report is available for download on the InfoGovANZ website (www.infogovanz.com). INFORMATION GOVERNANCE WORLD

LEGAL & eDISCOVERY

Ken Withers

INTERVIEW WITH KEN WITHERS

en Withers is the Deputy Executive Director of The Sedona Conference. Since 1989, he has published several widely-distributed papers on electronic discovery, hosted a popular website on electronic discovery and electronic records management issues, and given presentations at more than 300 conferences and workshops for legal, records management, and industry audiences. His publications include, Ephemeral Data and the Duty to Preserve Discoverable Electronically Stored Information in the University of Baltimore Law Review (2008); Living Daily with Weekly Homes in the Texas State Bar Advocate (Summer 2010); and Risk Aversion, Risk Management, and the Overpreservation Problem in Electronic Discovery in the South Carolina Law Review (2013). From 1999 through 2005, he was a Senior Education Attorney at the Federal Judicial Center in Washington D.C., where he developed Internet-based distance learning programs for the federal judiciary concentrating on issues of technology and the administration of justice. Ken also contributed to several well-known FJC publications, including the Manual for Complex Litigation, Fourth Edition (2004), Effective Use of Courtroom Technology (2001), and the Civil Litigation Management Manual (2001). IG World: Where did you grow up? Go to school? I was born in Petersburg, West Virginia and grew up in upstate

INFOGOVWORLD.COM

New York (Albany, Utica, and Boonville) and Providence, Rhode Island, as my father was a Baptist minister and we moved a lot. I am a high school dropout. Seriously. I never even got around to getting a GED. Perhaps I will go back and finish high school someday, but high school students today are much smarter than I am and I’m afraid I’d be crushed by the competition. Still, whenever I bike past the Phoenix Coding Academy at Central High School, I think to myself, “if that existed fifty years ago, I might have stayed and graduated…” When I turned 16, I could legally drop out without being arrested for truancy, and promptly did so. A few months later I managed to talk my way into Northeastern University in Boston. After the first term I was on the dean’s list, where I stayed, on and off, for five years (working the whole time, as my father flatly refused to support this madness). The college admission folks never followed up on that high school diploma issue. After graduating from Northeastern, I worked for three years in advertising and PR before applying to Northwestern Law School in Chicago. They never asked about the high school diploma either. Later, while studying for the bar exam, I used to have a recurring nightmare that I would be hauled before the bar authorities and told that because I never graduated from high school, I’d have to go back to get Phys Ed credits before I could be admitted to the bar. “Here are your blue shorts,” they’d say, as I’d hang my head in shame.

How and when did you become interested in e-discovery? What changes have you seen in the last five years in that market space and what trends do you see emerging? I was doing eDiscovery before there was a word for it. I loved civil litigation, computers (such as they were in the 1980s), and the emerging challenges of discovery. The first time I spoke to an audience about what came to be called “eDiscovery” was in 1987. Only a handful of us—John Jessen, Joan Feldman, a couple others—were talking about this, so I immediately became a big fish in a very small pond. But I hated the actual work of eDiscovery, which in those days consisted of organizing teams of paralegals and first-years into document review chain gangs, manually coding hundreds of thousands of paper documents and entering the data into a proprietary database, and later a hacked library card catalog system. That, sadly, was also state-of-the-art at the time. In the mid-1980s I noted that much of the paper discovery we were receiving from clients and opponents alike were generated from computer files. Remember VisiCalc, ARPANET, and Wang word processors? Probably not. But in Boston in 1986, everybody was using Wang, converting to Lotus, and if you were a defense contractor at one of the big universities, you had access to this thing called email. My idea was that paper discovery was expensive and wasteful. It would be cheaper, faster, and easier to manage if we kept everything in native format and just produced electronic files. It’s an entirely different world today. There is now a multiple-billiondollar eDiscovery industry, an entire field of technology, and advances in methodology that would make it pointless for me to try to return to the active practice of law. I’d need to go back to school and learn it all over again. I am particularly struck by the growth of AI applications for eDiscovery, which is something that I advocated back in the last century, and nobody picked up on until Jason Baron and Maura Grossman took up the

cause much later. But perhaps the most significant development has been the incorporation of eDiscovery into the broader field of Information Governance (IG). From the start, I always believed that eDiscovery was more efficiently run if the organization’s IG operation was robust, and one my saddest memories is of a pointless discovery project, that forced the client to spend millions. There was a warehouse of boxes, all neatly organized and labelled with document destruction dates that were ten years or more past. The client had downsized its IG operations out of existence in a fit of ill-considered budget cuts and ended up with millions of paper documents that should have been destroyed long ago. Only the indices that described the collection had been destroyed, so we had to reconstruct the whole catalog on very short notice before making any further preservation or disposition decisions. That would never happen today, would it? How did you get involved with the Sedona Conference, and could you give us a brief history of the organization and its accomplishments? By 2000, I had moved from the Social Law Library in Boston to the Federal Judicial Center, from state court judicial education on law-and-technology issues to federal court judicial education on the same topic. It was like getting traded to a different baseball team, but still playing the same position. One of my assignments was to assist the Civil Rules Advisory Committee of the Judicial Conference, which was then deliberating over the proposals that would become the 2006 Amendments to the Federal Rules of Civil Procedure. Some of the judges serving on that Committee were invited to participate in a conference on “complex litigation” being held somewhere in the hills of Arizona. I was assigned to accompany them. After my first Sedona Conference, I was hooked. The concepts of dialogue and consensus—in contrast to the endless debate in the rulemaking process—just seemed right to me. And I got along well with Sedona’s founder and executive director, Richard Braman, who asked me

to help with future events, especially with state and federal judges who wanted to attend or whom Richard wanted to invite as faculty. In the early days, Sedona was just a “conference,” three annual CLEs on complex litigation, antitrust, and intellectual property law, held in Sedona, for an audience that couldn’t exceed 65 people. But the participants wanted more—they wanted to create solutions to the problems, rather than just discuss them. Jonathan Redgrave, John Jessen, and others convinced Richard to form “Working Groups” that would study issues between the conferences, and then present papers at the conferences. This would be more than just CLE: it would be a think tank, similar to the American Law Institute, only open to anyone who wanted to join. Working Group 1 was launched, which would concentrate on eDiscovery and related issues. We thought it would last a couple

“

...perhaps the most significant development has been the incorporation of eDiscovery into the broader field of Information Governance (IG).”

INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT of years, produce a few reports, and disband. We were very wrong – it still is active, has about 600 members, and has continued to produce Principles, Guidelines, and Best Practices that are cited by judges across the country, and even internationally. But the success of WG1 came at a very bad time. Richard was diagnosed with terminal cancer and needed to recruit a successor while he was still relatively healthy and active. I remember that Board meeting in Sedona, when everyone turned to me. I had no intention of assuming Richard’s role, but I agreed (after a negotiation between Richard and Judge Barbara Rothstein, who was my boss at the FJC at the time) to relocate to Arizona and assume administrative responsibilities during the anticipated transitional period, until a new Executive Director could be found. It didn’t work out exactly as planned. Richard stayed healthy enough to work every day for years, and he drove every candidate for his replacement crazy. Meanwhile, the Sedona Conference grew to over 1,000 members in ten Working Groups, with several new employees and a greatly expanded program of events and publications. Richard passed away in 2014 – nearly ten years after he was diagnosed. But he used that decade to good advantage, and five years later, we’re still growing under the leadership of his successor, Craig Weinlein. Sedona Conference publications have been cited in several hundred court opinions and provided the basis for the 2006 Amendments. Our eDiscovery casebook

is the standard in law schools, and our Guidelines on Protective Orders and Pubic Access, while dated, is still a basic training document for court clerks nationwide. We are one of the few American NGOs that European data privacy authorities regularly meet with, and our Patent Litigation Commentary series is highly regarded. And all this is free from our website, thanks to a group of 40 or so loyal law firm and corporate sponsors, none of whom demand anything more than we do our best to create consensus-based, non-partisan analysis and guidance. What are the longer-term plans for the Sedona Conference group? Any particular emerging areas of focus, or changes in direction? We plan on more of the same. The newest working group, WG12, is concerned with trade secret identification and protection. Our annual International Programme on cross-border data transfers, held in Hong Kong last month, was a great success, and we will continue that event in different regions of the world. And our International Patent Litigation program, based on the work of WG 10, will be held in Ireland this fall. It’s an exciting time. I think the biggest growth area will be in privacy and data security, which touches on all the Working Groups, but is led by WG11, which will be meeting in Montreal in September. We’re a long way from those little conferences of 65 people in the red rock country of Arizona, and all the while, we’ve maintained our “public charity” status. No sponsor contributes more than 2% of our operating budget, we maintain a comfortable financial picture, we owe nothing to any particular interest group, and our doors are open to anyone who wishes to participate in dialogue (not debate) and consensus-building. What are the most rewarding activities that you participate in with the Sedona Conference, and why? The annual International Programme is by far the most fascinating activity,

INFOGOVWORLD.COM

to my mind. We meet in a different part of the world every year, and we’ve developed close relationships with lawmakers and the legal profession in each of those countries. We’re concentrating on cross-border data transfer issues, with their considerable privacy concerns, both in the context of discovery and in day-to-day business. And the challenges are enormous. That’s on the substantive side. But on the personal side, The Sedona Conference has evolved into an extended global family. We celebrate marriages and births, mourn deaths, and really get to know one another, despite our many differences. We hear you were a rodeo rider in your younger years. How did you get started in that sport, and what lessons did you take away from it? Fake news: I wasn’t a rider. I was a safety officer in amateur rodeo. I rode, of course, but not competitively, and usually to rescue a hapless contestant who got in trouble in the arena. And I had another role, and that was to police the professional contestants who entered the amateur events. The pros were forbidden to do so by their contracts with professional talent organizations, but they couldn’t get much practice in between official pro events. So, they would register in the amateur events under assumed names. I’d spot them and provide some unsolicited legal advice,

News chiefly to protect the club sponsoring the event, but I was probably guilty of conspiracy to breach contract. We’d let them compete, but I’d grab the PA microphone occasionally to announce a “no camera” event. Spectators were told to put their cameras away for this event so there wouldn’t be a photographic record, and ushers in the stands would enforce the rule. I provided the same quasi-unlawful service to musicians who were bound by similar contracts that prevented them from joining jam sessions in basement clubs in Boston. I felt sorry for these kids—they deserved better treatment by their respective talent agencies and record labels. And in the very first solo case I argued before a judge, I successfully got a Grammy-winning Salsa band out of an onerous, one-sided contract with a major record label. I learned a little about entertainment law, but the rodeo experience in particular taught me something about the value of diversity: men, women, old, young, amateur, pro, European, African, Central American, Native American, gay, straight, bovine, human: everyone was welcome to get out in the area or on the stage, try their luck, learn some skills, and help build a team. My impression from the pros who participated was that amateur rodeo was more enjoyable and rewarding than pro events. Didn’t pay anything, however. If you could have dinner with three historical figures, who would they be, and why? Now, that’s a really tough question, and I could probably name a dozen. If I must choose, I would probably say: 1. William Morris, the Victorian-era industrial designer and utopian social theorist; I visit his house in Hammersmith and former showrooms at Liberty’s whenever I’m in London 2. Frank Lloyd Wright, for the sheer entertainment value of listening to an unapologetically egotistical genius. Dinner would need to be in one of the Oak Park homes, of course. 3. James Baldwin, because who wouldn’t want to have dinner with James Baldwin? Ask me again next week and it’ll be three totally different people. What is your favorite food, and your favorite drink, and why? I’m from good Welsh stock, so I have to love lamb, in any form: roasts, stews, shish kabob, gyros. Indian lamb curry over aromatically-spiced creamed spinach is my idea of Heaven. But being Welsh, I’ll also enjoy almost anything in a cheese sauce. I was diagnosed as diabetic a few years ago, so I had to un-learn my love of potato, rice, bread, and pasta; I lost 35 pounds in the process. I still occasionally succumb to intense desire for loaded Chicago deep-dish pizza, but I know I shouldn’t. On the beverage side, I used to brew my own beer and loved hard cider, but I had to give that up as well. These days I drink a lot of mocha, hot or iced, that I make myself from scratch, using sugar-free ingredients. The combination of coffee and chocolate is irresistible. I’ve even created a powered version that I can take on the road with me, as I can’t order much of anything in a café or pub anymore; it’ll be loaded with either carbs or sugar.

CLOUDNINE EXPANDS IN eDISCOVERY MARKET CloudNine®, a leader in the eDiscovery software marketplace, is expanding in the legal technology market, continuing to advance capabilities across its software portfolio as well as to grow sales and integration partnerships. At ILTACON 2019 in Orlando in August, CloudNine’s new CEO Tony Caputo and his team demonstrated new features and performance upgrades to CloudNine’s eDiscovery technology suite including CloudNine Explore™, LAW™, Concordance® and Review™.

Highlights of ILTACON 2019 announcements include: CloudNine Explore 7.2 – Explore, an early case assessment solution, is now faster, more flexible and scalable for larger projects due to unique multi-core, multi-threaded processing capability across several machines. Explore 7.2 also connects more seamlessly with CloudNine LAW pre-discovery production software to enable greater organization and data export options. CloudNine LAW 7.2 – LAW now includes more powerful controls for organizing data. The popular Turbo Import feature is enhanced by flexible workflows and new Import Set reporting features. Turbo Import in LAW 7.2 now imports and analyzes data 73% faster than LAW 7.0. CloudNine Concordance Desktop 1.07 – Import speeds are now 70% faster with Concordance 1.07. The new version also adds administrator tools, improves document and email text extraction, and provides new organization and management functionality to optimize both database and unstructured data. New viewer and redaction capabilities were showcased at ILTACON. CloudNine Review 2019 – The Review platform has been completely modernized to improve speed, performance and user experience. New Family Tagging and Field Grouping also were released and shown at ILTACON. Office 365 Connector – CloudNine also be unveiled a new application at ILTACON which will be released later this year that extracts data from Office 365 and automatically loads it into CloudNine Explore. About CloudNine Discovery: Founded in 2002 and based in Houston, CloudNine (www.cloudnine.com) is a technology company with expertise in simplifying the data discovery process. Through its on and off-premise software brands, the company helps its more than 1,000 legal and corporate customers, gain insight and intelligence on electronic data. INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT INTERVIEW W/ MONICA CROCKER

onica Crocker is the Group Records Coordinator for Wells Fargo’s Wealth & Investment Management business. In her role, she mitigates the risk associated with electronic and physical records. She began her career as a Digital Imaging Consultant in 1993, defining electronic content and records management strategies for government organizations across the United States. She spent the last decade of her career working with organizations that range from manufacturing to food production to banking. She has earned both the Certified Records Manager and Certified Project Management Professional designations, and was inducted into the AIIM Company of Fellows in 2019. A firm believer that “simple” does not necessarily mean “easy,” she is passionate about identifying solutions that allow users to spend less time managing records and more time fulfilling the mission of the organization. She is a frequent speaker at eDiscovery, AIIM and ARMA conferences and has authored many articles; she was a contributor to the Minnesota eDiscovery Working Group’s White Papers, ARMA’s Information Governance Book of Knowledge and to Robert Smallwood’s Information Governance: Concepts, Strategies, and Best Practices (Wiley, 2014, 2019).

Monica Crocker

INFOGOVWORLD.COM

PHOTOS BY NORA BURROWS

When not at work, Monica has contributed her time to multiple non-profit boards and is dedicated to improving the welfare of the world’s animals. We caught up with her just as she was making her move from chilly Minnesota to California’s Napa Valley: IG World: Where did you grow up? Go to school? I spent my childhood years in Fairbanks, Alaska. But we moved to the Twin Cities as I hit my teens, and I lived there for, well, decades. Not surprisingly, they were very different. I went to the University of Minnesota. The two most valuable things I learned at the University of Minnesota were: no one is paying that much attention to you because they are too busy with their own stuff (so get over being self-conscious already) and how to navigate a large bureaucracy. What are your fondest childhood memories? Most of my fondest memories involve food! I remember how great the trout we caught that day tasted when cooked over a campfire. And the delicious burst of flavor of wild blueberries in pancakes that was your reward for braving the bears to pick them. I remember what a big deal it was when the first McDonald’s opened in Fairbanks; I still have Ronald McDonald’s autograph from his appearance at that event. And I remember my dad bringing home a king crab with legs the size of baseball bats for dinner. Also, him making the first batch of, “new peas and potatoes in cream sauce” with produce from the garden. He also grew giant cabbages, but I don’t remember anyone eating those other than the moose. I remember every year, during the ugly, muddy, slushy “spring breakup” my mom would take us down to my grandparents’ in Northern California for a vacation. I loved being at my grandparents.’ They got more TV channels than we did in Alaska and we went to see the ocean and go out to lunch at Brooktrails Golf Club where I was allowed to order a club sandwich with those fancy toothpicks in it. Wow, even that turned into another food memory! How did you get involved with records & information management?

I blame it on two people, my mom and document imaging pioneer Terry Menta. Terry was doing a consulting gig at the county where my mom worked. I had just relocated from Minnesota and was looking for work. Mom suggested I intern for Terry. It snowballed from there. It turns out I had a knack for understanding processes. We consulted on digital imaging consulting projects for government agencies for years. In the course of doing that, I became a Certified Records Manager so I could speak with authority to the Records Managers in those organizations. I enjoy both aspects of the industry—the Records Management side that helps organizations comply with regulations and manage the risk associated with their records; and the technology side that provides tools to help people do their jobs. How has RIM changed in the last 10 years or so? I certainly hope RIM is more visible and a higher priority in many organizations than it was 10 years ago. From what I’ve seen, RIM is able to ride the wave of other IG initiatives that have become organizational priorities: data protection, privacy, big data, eDiscovery, technology simplification, and business continuity. These initiatives have become opportunities to apply records management principles, particularly records classification and records destruction. And if you happen to have an inventory of official records, well, then, heck, it’s like you have a map to buried treasure that can be leveraged for any number of organization initiatives. Another factor contributing to RIM visibility is the increase of regulations related to records, such as those related to privacy. It’s much easier to comply with regulations that affect your records when (1) you don’t have a bunch of extra records and (2) you can find them. Those are both areas where good RIM practices can help. How does working in the banking sector compare with your other commercial experience, from a RIM perspective? It is very different. My previous position

was for a business that was very low risk from a records standpoint; lightly regulated and no one sued them. As a result, records management was not a high priority. The banking sector is closer to my government experience; the records management program in both are significantly impacted by regulations in two ways: First, there are extensive regulations related to the way you do things, and you have to keep copious quantities of records to prove your compliance with those regulations; and second, there are regulations that dictate the specific records you need to retain and the manner in which you need to retain them. Therefore, records management is perceived as a critical function in both my government and my banking experience. Has GDPR had an impact on your departmental procedures? How? Are you taking any steps to prepare for complying with the California Consumer Privacy Act? Heck yes. Both of those regulations give organizations yet another good reason to NOT retain records any longer than absolutely necessary. And I always say, a Records Management program should “ride the coattails” of high priority initiatives whenever possible. As long as your organization has a need to remediate records in light of GDPR requirements, that may be an opportunity to implement Records Management compliance at the same time. The California Consumer Privacy Act may provide a similar opportunity. What is your biggest career achievement? I like doing the day-to-day and projectrelated stuff involved in IG But I cherish those occasions where I have the opportunity to reflect on my experience and what I’ve learned from others and condense that into guidance. Particularly the lessons learned about what NOT to do. As a result, I enjoyed writing the chapters in Robert Smallwood’s books, Managing Electronic Records and Information Governance. I also got to contribute to the ARMA Information Governance Book of Knowledge, which involved multiple days in a room with other really smart people brainstorming INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT what to put into that publication. Similarly, I love doing presentations at conferences because it forces me to organize my overabundance of opinions into a few bullets on a few slides. I usually get good audience participation, and I end up learning more from the questions and counterpoints that are raised than I do in months on the job. I can remember a motorcycle instructor encouraging everyone in the class to take up racing; not for the racing itself, but because it forced you to focus what you’ve learned, learn more really quickly and soak up the wisdom that can be gained by being in an environment with people that live and breathe motorcycles. A good conference is sort of the same thing. But I guess I’d have to say my favorite work achievement is the fact that the content management system I built at the State of Minnesota is still up and running, continues to expand and that the team we built to support it is still building and supporting it. It was a magical combination of the right tools and the right people for the job. What advice do you have for others trying to implement compliant RIM programs? Be patient, but stay alert. I have always had a strategy/plan to move forward independently. But by keeping my eye open for opportunities, I have managed to piggyback on other initiatives to get way more done than my plan, with its limited visibility and limited resources, would have ever accomplished. Need to prepare for potential Legal Holds? Let me slide records destruction into that initiative. Need to prepare for potential Legal Holds? Let me slide records destruction into that initiative. Need to prepare for privacy regulations? My taxonomy development and records destruction can help with that. Information security became a priority after a data breach? Well, records destruction can assist with that. Come to think of it, records management offers one of the most cost effective and universally applicable solutions to almost any IG issue: destruction. Records gone means problem solved (at least for that data). All of which translates to: network and keep 44

INFOGOVWORLD.COM

up to date on what’s going on in your organization. I have saved my employers a ton of money by being able to identify which applications were and which were not systems of record, so they won’t have to take archive or migrate the non-systems of record as part of a divestiture or acquisition. And I won’t have to manage archives of data that we don’t even need. Those projects didn’t have anything to do with records management on the surface, but I was able to help them reach their objectives with less effort and reduce the amount of ongoing work for the records program at the same time. What special skill or hobby do you have that might surprise your colleagues? I am a PADI certified scuba diver and, until recently, I had my motorcycle license. And I might be the oldest newlywed you’ve ever known. Also, I used to do volunteer work for an organization that rescued big cats. Which means I learned how to move in a way that doesn’t trigger the “you are prey” response. I’ve fed lions and cleaned a bobcat habitat and shoveled snow around a tiger cage and built a surgery table that will hold a tiger. The most important thing I learned from that is that every animal has its own personality and its moods and is capable of recovery from trauma, even the wild ones. What do you like most about the Twin Cities? I love the art and music scene in the Twin Cities. There are many small and medium sized concert venues, some of which are beautiful historic theaters and a couple of which are in outdoor settings. And many of my favorite performers are from right there in the Cities, so you

get to see them perform in a variety of settings and contexts and really learn to appreciate their skills. And the art is incredible. When I went to pack for the move to California, I think half of my boxes were just for art… sculpture, blown glass, paintings, pottery. I buy art directly from the artist at a show or at their studio, so I get to meet them and talk about their work, which I think makes for a more meaningful connection to the piece. Oh, and the Twin Cities has a thriving estate sale business; I have a blast hunting for treasures. What is your favorite lunch or brunch place in the Twin Cities, and why? I can’t pick one, but I can narrow it down to three. One, Hell’s Kitchen is fabulous (no connection to the TV show). I didn’t “get” huevos rancheros until I had theirs; their scrambled eggs are perfectly fluffy. They make their own salsa and deep fry the tortillas so that the entire dish has a satisfying crunch. And I get to eat them while admiring their collection of Far Side cartoons with a Hell theme. Two, the World Street Kitchen food truck makes a rice bowl with fried tofu that is perfectly crispy on the outside and velvety on the inside and the whole thing is covered with an addictive sauce. Three, a few times a year I get to walk over to the State Fairgrounds, have a breakfast quesadilla with fresh made salsa for breakfast, coffee from the Farmer’s Union, walk around until I get tired, go home for a nap and then go back for cheese on a stick, a bowl of honey ice cream and a free concert. Those are my three favorite Twin Cities lunch/brunch experiences. But now I’ve just moved to northern California, so I have a whole new territory to explore!

IRON MOUNTAIN POLICY CENTER KEEPS YOU COMPLIANT New cloud-based retention subscription service stays current and uses data maps to help records managers document regulatory compliance

You’ll be able to keep your records retention and data privacy policy management connected, current and compliant through the cloudbased Policy Center portal. As laws change, you can count on high quality research from our international network of law firms to know how changes impact your organization so you can update your policies accordingly. Available as a subscription service, you’ll receive a feed of fully cited and summarized legal citations with a simple explanation of the requirements to empower your decisions on retention rules and privacy obligations that make sense for your organization. With filters you can easily view which record classes and types in your retention schedule are affected by privacy law. To show compliance, you’ll have tools to document critical information about your business processes that contain personal data, enabling compliance with the GDPR Article 30 requirements. You’ll be able to create visual maps to centrally see where personal data lives, who owns it, what process it’s a part of and what are your retention rules and privacy obligations for it. In your maps you can show the movement of personal data within and outside of your organization so you can quickly identify where personal information is located to help your company respond to time-sensitive issues, such as data breaches, subject access requests, data erasure requests, audits and litigation. Employees in your organization can easily access the latest version of your retention schedule and privacy policies online, using custom views and advanced search to filter to only the retention rules and privacy obligations that apply to them. You also have the option to connect policy to your content infrastructure through an open application programming interface (API). COMPLEMENTARY SERVICES To help assess your information management policies, procedures and platforms and readiness to comply with the regulations that govern you, our Advisory Services team can provide you an indepth assessment and roadmap to help you achieve your goals through the IG Assessment service. With up-to-date and connected retention and privacy policies, you’re in a good position to clean up your legacy content through our Content Classification service, leveraging our proprietary classification rules database that systematically calculates destruction eligibility according to your retention schedule. You can unlock the power and value hidden in your data, both physical and digital, through Iron Mountain Insight™. Our cloud-based content services platform can help accelerate digital transformation, reduce risk and drive compliance, while allowing you to focus on the analysis needed to empower business decisions.

www.ironmountain.com/contact/policy-center

When your information has met your organization’s requirements of retention, our Shredding service and Secure e-Waste and IT Asset Disposition service will enable you to destroy it, confident that you are complying with regulations governing information destruction. For information you’ll be retaining, you can use our Iron Cloud™ and Secure Storage Services to secure and protect your valuable information. You can use our Document Imaging Services to have paper documents scanned and indexed, with metadata applied, for easy data retrieval.

DATA GOVERNANCE HOW BUSINESS INTELLIGENCE AND DATA GOVERNANCE SUPPORT ONE ANOTHER BY GEORGE FIRICAN

usiness Intelligence (BI) became part of the core focus of IT departments in the late 1980s. BI encompasses a wide range of practices, technologies, and applications. Together, they help companies collect, analyze, and present information that, in turn, helps leaders make informed business decisions. Data Governance (DG), on the other hand, is a discipline. DG provides the strategy and structure necessary to manage data as an asset that can be transformed into meaningful information for the organization. In other words, DG is becoming a major point of focus for organizations that invest in BI and data science. WHY ARE COMPANIES ADOPTING BI GOVERNANCE? While DG fails to garner the same media attention as Big Data and similar concepts, it is worthy of discussion. Currently, the intersection of DG with BI is more visible, and there’s good reason. With the adoption of a DG strategy, companies realize that they can significantly improve the ROI (Return on Investment) of BI investments. THE ESSENTIALS OF SUCCESSFUL DATA GOVERNANCE IMPLEMENTATION As Forbes warned in their 2016 study titled, “Strong Data Governance Enables Business Intelligence,” DG is the key to successful BI implementation. It is

INFOGOVWORLD.COM

essential that DG policies are both consistent and flexible. The study detailed some key barriers faced by companies trying to leverage BI and highlighted data inconsistency, slow adoption rates, and multiple ways to view data as the top challenges. Forbes drew a critical conclusion, which matched the opinion of 75% of corporate executives: In order for Business Intelligence to advance and become mainstream, Data Governance must be enforced within organizations––especially those aiming to tackle BI at the enterprise level. After all, Data Governance is about treating and managing data as an asset. Therefore, it is able to impact (and improve) every aspect of the BI ecosystem, because it is all data and business-centric.

“

Data Governance is about treating and managing data as an asset. ”

MOVING FORWARD WITH DATA GOVERNANCE It all starts with data ownership, Data Quality (DQ), and Master Data Management (MDM). That’s where the first intersection occurs between BI and Data Governance. From there, companies are able to reap the benefits of an enhanced Data Strategy, which, in turn, enables them to get more from their BI initiatives. In this sense, Business Intelligence champions Data Governance. Data Governance: • Improves the capabilities of Business Intelligence by reducing Data Quality risks • Lowers operational costs by eliminating duplicate data • Lowers redundant data management tasks • Reduces privacy and security risks by establishing and enforcing enterprise-wide data and information policies • Achieves consensus with the business and technical metadata • Aids enterprises in extracting information • Yields a higher ROI from data dissemination The combination of these factors creates an interesting ecosystem in which Data Governance and Business Intelligence can evolve together.

10 GUIDING PRINCIPLES EVERY DATA GOVERNANCE PROGRAM SHOULD FOLLOW

ata governance (DG) can be a challenging initiative for any enterprise launching such a program, but DG is also challenging for enterprises with a fairly mature program in place. There are a lot of success factors that need to be met to achieve a highly mature and effective DG program while the variables keep changing. To get a DG program started on the right path or have a course correction for one which is already underway, here are 10 guiding principles that should be followed: 1. Data is a strategic enterprise asset and should be managed as such. 2. DG is an evergreen program and a business discipline, not a project, which needs an ongoing investment, support, and exposure. 3. DG is the foundation upon which all enterprise information initiatives are built. 4. DG and stewardship are a shared responsibility between business and IT. 5. There must be a common glossary with shared and approved business terms and data definitions with a clear stewardship and ownership process. 6. There is only one version of the truth for enterprise data which is actively managed and trustworthy. 7. Data management needs to comply with legal and regulatory requirements, internal policies, and follow industry best practices and standards. 8. Enterprise data are accessible and understood by relevant roles as needed in order to carry out their duties. 9. Accountability for different data management practices is clearly defined, assigned, and managed 10. DG efforts, goals and objectives, priorities, decisions, and deliverables (procedures, processes, standards, policies, framework, etc.) are always communicated and made available to the entire enterprise. —By George Firican INFORMATION GOVERNANCE WORLD

CONTENT SERVICES RPA & AI: THE COMING GOVERNANCE NIGHTMARE BY CHRISTOPHER SURDAK, JD

s a business or technology person, if you have not been inundated by discussions of Robotic Process Automation (RPA), Machine Learning (ML), and/or Artificial Intelligence (AI) over the last few years, then you might be hiding under the proverbial rock. While AI has undergone multiple boom and bust cycles over the last century, RPA came roaring onto the enterprise software stage approximately 5-6 years ago, and has experienced explosive growth in interest and adoption ever since. RPA promises to deliver fast, cheap and effective automation of business processes while reducing risk and enhancing control. But, can RPA live up to this gargantuan hype, and what are the governance implications of this new class of software? As someone who has worked in and around the foundations of Information Governance (IG) for almost thirty years, I can say with certainty that IG is frequently undervalued. Most return on investment (ROI) calculations supporting IG initiatives don’t support the initiative; that is, at least not until there is some data breach, ransomware attack, or public disclosure of critical information. Once this occurs, boards of directors and chief executives suddenly become intensely interested in IG; regrettably a day late and a few million dollars short. It is my observation that IG is typically treated a bit like toilet paper in a public toilet: no one wants to pay for it, but it better be there when you need it. As many early adopters of RPA have discovered, this technology brings with it a host of IG issues, many of which were neither anticipated nor addressed. These issues are both foreseeable and manageable, because RPA is, at its core, an IG-enabling technology. Architecturally, RPA platforms are a mixture of old and new technologies, applying a modern, robust IG platform to an aggregation of established, and perhaps even obsolescent technologies such as macros, screen-scrapers and optical character recognition (OCR). RPA uses these technologies that manipulate information at the user interface, and allows them to act on interface data in a controlled, documented and governable manner. WHY RPA? WHY NOW? I believe that part of RPA’s dramatic appeal stems from

INFOGOVWORLD.COM

a degree of desperation. Organizations continue on their relentless march for incremental process improvement and cost savings long after such savings have been largely tappedout. After decades of small, lean, Kaizen-driven process improvements, the vast majority of legacy business processes have little further room for improvement; there is no more blood to squeeze from these stones. This loss of capacity for incremental improvement collides with the era of digital transformation, where new organizations are being born digital and operate digital—they are real-time, context-aware, and data-enabled. These digitalnative-processes are dramatically more efficient and effective than 20th Century, paper-based, analog processes that have been digitized, rationalized, outsourced, off-shored, re-shored, de-shored, and de-capitalized for thirty or forty years. RPA promises to allow companies to perform these same, tired, analog business processes at twice the speed, and half the cost, without fundamentally changing them. RPA promises to further automate these old processes in a way that is simple and inexpensive to design, build, deploy, and support. For business leaders who need to cut their costs by 3% every year to keep earning their bonuses, RPA feels like a miracle diet pill sold on late night cable TV. Despite the promise of RPA, the reality falls somewhat short, at least thus far. By 2019, according to Gartner, only 5% of organizations are succeeding with RPA at-scale, while a quick Google search of the phrase “RPA implementation failure” yields over 5.7 million results. Organizations are rapidly discovering that RPA is not the quick fix that many of its proponents have promised, and the dominant factor driving success or failure of RPA implementations happens to be IG. RPA IS IG After decades of enterprise automation, nearly all organizations are still heavily reliant on Excel spreadsheets to run their business. In its course of business, a typical Finance department

in a Fortune 500 company likely uses hundreds, if not thousands, of Excel spreadsheets with macros to perform a myriad of calculations and processing tasks. These tasks are performed outside of the enterprise’s core financial system either for convenience or for cost considerations. Nonetheless, they all occur outside of well-regulated finance systems and processes. This vast flock of free-range Excel macros represent a significant risk to organizations and executives that depend upon them. They are rarely documented, sparsely maintained, and invisible to most oversight mechanisms. Consequently, they are critical to the ongoing operations of the business and yet represent enormous unquantifiable risk. One of the greatest benefits of RPA is that it allows all of these “in-the-wild” macros to come under some semblance of management and control. With RPA, such automations can be controlled from a centralized system with complete transparency. I would argue that the real value of RPA is not that it may allow you to run your Finance department 5% cheaper than last quarter. Rather, RPA allows a CFO or Controller to have full visibility of their business, and hence keep their job through next quarter. RETURN ON IMAGINATION Despite this emphasis on governance capabilities, few organizations capitalize on, or even recognize, this value. In their effort to reduce costs and achieve positive ROIs, most organizations heavily discount the need for and value of IG. Everyone buys into the need for creating an RPA Center of Excellence (CoE), but few organizations show any interest in actually funding a CoE to the extent necessary for success. Replacing a $20/hour data entry clerk with a $10/ hour robot does not leave a lot of room for weekly meetings of an oversight committee, staffed by people earning six figures. Hence, most CoEs are mere shadows of what they really need to be: Information Governance Boards. Governance is extremely undervalued in early adoption of bots. It’s viewed as unnecessary overhead, structure, and process and runs completely counter to the quick-and-dirty approach that RPA

encourages. While I have seen many companies define and adopt a CoE as part of their initial rollout of RPA, frequently that CoE is nothing more than some process maps in a PowerPoint which are loosely followed and rarely referenced. There is a perception that bot governance is another example of IT overcomplicating things. The business wants quick financial wins through bots, rather than more meetings discussing budgets, architectures, risks, and objectives. The more time spent in a governance meeting, the more the ROI of automation is eroded. WANTING SOMETHING FOR NOTHING This is true up to a point. When there are only a few bots running in an organization, there is little need for coordination or oversight. Bot errors are relatively simple to correct, resources are plentiful, and there are few interdependencies. However, increase the numbers of bots (processes) and robots (instances performing the work) to beyond twenty or thirty, and you will likely find your bots, and their masters, stepping on each other’s toes with growing frequency. Most RPA business case implementations fail because of poor utilization and poor throughput. For a range of reasons, bots end up not working 24/7, and when they are working, they fail to complete their assigned tasks. The product of these two factors is Bot Effectiveness, and it is not unusual to find bots running at single-digit effectiveness early in their lifecycle. Marry this poor performance with the perceived high-cost and low value of governance, and it’s easy to see why many organizations under-invest in RPA governance. But, these very shortcomings in throughput and utilization are the kinds of things that an effective IG infrastructure would prevent. In a chicken-or-the-egg scenario, the lack of effective RPA IG leads to ineffective RPA, and so on. In my experience, the majority of the 95% of companies who fail to deploy RPA at-scale do so because they did not create, deploy, support, and

grow an effective IG framework within their CoE. Their maniacal focus on ROI made them completely miss the real value of RPA: governance. SLOWING DOWN TO SPEED UP The 5% of companies that are succeeding at-scale with RPA share several common characteristics. First, they deployed RPA at-scale, rather than piecemeal. Instead of deploying automations one at a time (with each having to justify its own incremental ROI), successful organizations recognize that bots use shared infrastructure. Their costs, and hence ROIs, are interdependent. The more bots you deploy simultaneously, the greater the collective ROI. Second, these companies recognized that most ROI analyses do not value IG, which is the dominant value proposition of RPA. The point of RPA is not to create task automations, since in most organizations such macros already abound. Rather, RPA puts all of these automations under centralized control with transparency, so that the hidden costs of operating these automations freerange can be captured and eliminated. The significant reduction of risk that this process delivers is an added bonus. Third, these organizations have recognized that RPA isn’t a new technology, it’s a new workforce. Through effective governance, they harmonize the work and outputs of both human and digital workers in a way that increases speed, accuracy, flexibility and efficiency. Only through such harmonization of these workforces, through RPA’s IG, can RPA’s true benefits be realized. SUCCEEDING WITH RPA How do leading companies use IG to succeed with RPA? There are a few simple principles to follow: 1. Have IG before you need it, because the more we rely upon automation working, the worse the consequences will be when it inevitably doesn’t. 2. Define your IG to support hundreds or thousands of bots, but only deploy as much as your in-production bots demand. Retrofitting IG is dramatically more painful than designing for scale INFORMATION GOVERNANCE WORLD

CONTENT SERVICES from the beginning. 3. Engage all parts of your organization from the beginning. Participation leads to buy-in and support and reduces the likelihood that people will go rogue and build their own bots off the reservation. Free-range bots are seductive to business owners looking for seemingly fast, cheap and good automation, but they rarely realize the expected returns laid out before deployment. SUMMARY RPA, and eventually AI, are here to stay. Ultimately, both will lead to dramatic changes in how organizations operate. Choosing to not utilize these technologies would be akin to choosing to not have a website in the 1990s, a business-ending decision. But, in order to succeed with RPA, it is critical to recognize that these applications aren’t innovations in functionality (macros, screen-scraping, and OCR); they’re innovations in orchestration (resource management, governance and auditability). When measuring the value of these applications, an ROI analysis that depends upon labor arbitrage, and discounts the value of governance and control, will almost always lead to disappointment and disillusionment. To be part of the 5% of companies that succeed with digital labor, it is critical to understand exactly what benefits it offers. With RPA, organizations will reap significant rewards from digital labor, as long as they are willing to cover the cost of making sure the paper roll never runs out. CHRISTOPHER SURDAK, J.D., IS AN INDUSTRY-RECOGNIZED EXPERT IN MOBILITY, SOCIAL MEDIA AND ANALYTICS, BIG DATA, INFORMATION SECURITY, REGULATORY COMPLIANCE, ARTIFICIAL INTELLIGENCE AND CLOUD COMPUTING WITH OVER 25 YEARS OF EXPERIENCE. HE IS CURRENTLY THE INTERIM CHIEF TRANSFORMATION OFFICER OF THE INSTITUTE OF RPA AND ARTIFICIAL INTELLIGENCE. HE IS AUTHOR OF SEVERAL BOOKS, INCLUDING THE UPCOMING, THE CARE AND FEEDING OF BOTS WHICH IS A GUIDE TO THE USE OF AI, MACHINE LEARNING AND ROBOTICS IN THE BUSINESS WORLD. HE CAN BE REACHED AT CHRIS@SURDAK.COM.

INFOGOVWORLD.COM

UNDERSTANDING THE RPA OPPORTUNITY BY NEIL CALVERT

obotic Process Automation (RPA) is one of the buzzwords of the moment. RPA is an emerging form of business process automation technology based on the notion of metaphorical software robots or artificial intelligence (AI) workers. RPA is being used to automate manual tasks, where the manual task is “recorded” and a “bot” takes over the process from a human worker. Interestingly, RPA does not cause job losses. Most organizations deploying RPA re-assign people to undertake more valuable work. Robots are quite happy doing repetitive tasks that humans come to resent. As humans become bored, they make mistakes. Robots can’t get bored and robots don’t make mistakes. When a manual task requires a person to transpose content from one system to another, using a bot ensures that data quality and accuracy is maintained. The work is also done in a fraction of the time, significantly impacting the flow of data and information through the business—making it available for use faster by reducing the cycle time for any process. Until recently, the only alternative to RPA was system integration, and while this may be a valid approach to take, it can be expensive and time consuming to get right. The expertise needed to code system integration is often hard to find, particularly when dealing with legacy systems. RPA is a viable alternative with a growing base of expertise. If you can teach the bot the task based on the work a human does, you can have the bot “rinse and repeat” that task very efficiently indeed. Being able to articulate the impact that RPA can have on your own business is a great way to foster adoption through executive buy-in. Proving the value of the opportunity before any work starts can help ensure that budgets are provided to enable the work to be implemented. Given the extensive benefits that exist, an implementation conversation should be led by the business, and cuts across the more traditional business units or operational silos: • Employee Benefits: RPA increases job satisfaction by offering a better employee experience through the removal of boring work such as copying data from one system to another. • Customer Benefits: RPA can reduce data errors, meaning fewer customer complaints about incorrect addresses or date of birth. The Customer Experience is also improved through lightning-fast back-office processes providing almost instant responses to queries. • General Business Benefits: RPA reduces cycle time—more gets done and information is available for use faster than ever before. Revenues have an opportunity to rise and costs are reduced. Data quality rises alongside an opportunity to collect more data from systems previously seen as too manual to scrape. Increased analytics as a result can positively impact the knowledge the business has of how it works and respond to the market in new ways. • Compliance Benefits: RPA reduces the number of human touch-points with data, reducing the opportunity for fraud and increasing the auditability of processes acting on data. • Technology Benefits: the life of legacy systems can be increased. Instead of costly rip and replace or integration approaches, RPA offers an opportunity to focus on the core work of the business rather than massive system replacements. Existing systems can work harder and longer, and your IT staff can focus on thinking about continuous next, not continuous firefighting.

Figure 1 - Benefits of RPA from linq.it A quick decision about RPA implementation is enabled by creating a compelling business case. The traditional business case process is unlikely to work in this instance because it takes too long. A business case must focus on where the opportunity exists alongside understanding the impact of any change on the people in the business and opportunity to monetize the change so the investment can be made. Building a “current state” model through a Digital Twin 1, and using knowledge of where RPA can be deployed to produce a future state

Digital Twin, will provide all the data points needed. This methodology focuses on sharing the value of the change through evidence, to get to a decision point as fast as possible. McKinsey 2 provided research about the connection between speed of decision-making and faster execution of decisions, linking to higher business returns. When decisions are made at the right level, focused on enterpriselevel value, and are committed to by relevant stakeholders, the outcomes are more successful than decisions made using other methodologies, especially if they are slow and thorough. Good analytic tools are available for many strategic contexts. Using the right tool at the right time will assist

REFERENCE: [1] LINQ, “Model Your Digital Twin,” https://www.linq.it/digital-twin/ [2] McKinsey & Company, “Insights,” https://www.mckinsey.com/business-functions/organization/our-insights/decision-making-in-the-age-ofurgency [3] Pega, Be disruption ready, https://www.pega.com/insights/resources/be-disruption-ready

in the decision-making process. In the example above, using the Digital Twin of the Organization to gain insight into the impact of automating manual tasks through RPA in a strategically important area of the business generates the evidence needed for a quick decision. Gaining buy-in for a $1.62M operational cost reduction is a relatively simple conversation to have. Knowing which people and systems will be impacted enables the business to manage employees and vendors effectively to ensure they understand the changes and potential of their role to deliver more value to the business. Achieving that outcome in tens of hours rather than tens of weeks will accelerate the organization to a successful future state where the organisation’s most precious resource, people, can deliver increased value to the business. Automation, when applied correctly, accelerates outcomes, improves productivity, saves money, reduces risk, and enables organizations to scale quickly in response to spikes in volume—without the need for additional resources. Automation can also free your employees from mundane tasks so they can focus instead on engaging with customers, leading to increased satisfaction for all. Proving this case through the Digital Twin of the Organization and having the conversations that matter in the business, enable you to act faster than ever before, and quickly benefit from this new digital capability. Thanks to Pega for providing access to their latest disruption report, 3 which includes content on the impact of RPA implementation. NEIL CALVERT IS A CO-FOUNDER, CO-INVENTOR, AND THE CEO OF LINQ, BASED IN WELLINGTON, NEW ZEALAND. NEIL HAS SPENT HIS VARIED CAREER ENABLING ORGANIZATIONS AROUND THE WORLD TO BENEFIT FROM AN INCREASE IN KNOWLEDGE ABOUT THE POWER OF THEIR INFORMATION ASSETS. SINCE 2014 NEIL HAS BEEN DRIVING LINQ’S APPROACH TO INFONOMICS BY EDUCATING PEOPLE HOW REPRESENTING THEIR BUSINESS AS A DIGITAL TWIN AND SIMULATING CHANGE IN THE CLOUD BEFORE IMPLEMENTING IT IN THE REAL WORLD, HELPS THEM SAVE MONEY. OUTSIDE OF WORK, NEIL IS A KEEN COOK AND ALSO TRAINS IN THE MARTIAL ART OF SHAOLIN KEMPO. HE LOVES NOTHING BETTER THAN FAMILY TIME SPENT OUTSIDE AROUND THE BEAUTIFUL NEW ZEALAND COASTLINE AND CAN BE REACHED AT NEIL.CALVERT@LINQ.IT.

INFORMATION GOVERNANCE WORLD

ARCHIVING & LONG-TERM DIGITAL PRESERVATION

DIGITAL PRESERVATION IN STATE AND LOCAL GOVERNMENT: AN AMERICAN SUCCESS STORY

BY MARK DRISKILL

ost people do not think about the implications of, or requirements for, longterm preservation of digital content.Aided in part by easy-to-use cloud-based storage applications such as Box, Dropbox, and iCloud, most of us take digital preservation for granted. This is in part because over the past two decades, the United States has led a significant effort to define uniform digital preservation mandates that businesses and government should follow to be in compliance with federal, state, and municipal laws. After the e-commerce sector took a major hit from the dotcom-bubble-burst, judges, legislators, and business leaders faced a coming onslaught of digital privacy concerns. That investment two decades ago was a good one. For example,

INFOGOVWORLD.COM

in 2000, Congress appropriated $100 million dollars to the Library of Congress (LOC) to lead an effort to streamline digital preservation across multiple government agencies and other related stakeholders. With this Congressional mandate, the LOC initiated the National Digital Information Infrastructure and Preservation Program (NDIIPP). Looking back, it seems almost quaint to consider those meager efforts a beginning. Yet as we look back to the early days of e-commerce, it was that attention to digital preservation that highlighted the connection between state and local governments and their federal partners. While the NDIIPP ended in 2018, its successor, the National Digital Stewardship Alliance (NDSA), maintains a consortium of partners across all sectors of government and

News business. The NDSA leads efforts across three interest groups: content, standards and practices, and infrastructure. This US-led consortium represents a significant step forward in maintaining authentic links across all levels of government. Although the LOC has served as a repository of American cultural heritage almost from its founding, insights gleaned from the NDIIPP and the NDSA highlight a specific connection between electronic records at the federal, state, and local levels. This connection is both fiduciary and regulative. States and municipalities must keep evidence (records) about how they conduct business with the federal government; and states have a historicalmandate to maintain artifacts of significant cultural heritage. Consequently, most cities have official archives where specific electronic records must be maintained and sent to the corresponding state archives.

“

...the NDSA maintains guidance that helps government entities at all levels maintain adequate digital preservation needs. ” The LOC’s continued efforts established an electronic records link between the federal government and the various other government entities that must work in cooperation to serve the needs of the people. In addition to coping with neglected paper records, city managers and state archivists needed to understand how to manage things like floppy discs and email. This was no small task, in the beginning. Records managers came to the rescue in the collection of evidence during electronic discovery (e-discovery), providing those records hidden in the secret or hard-to-find places in our computers. Simultaneously, other sectors in digital preservation developed elements such as “born digital archives.” Records and other artifacts in these archives may never be produced in the physical world. Hence the need for digital preservation. Today, the LOC maintains a Digital Strategy that serves in part as a process framework for preserving digital records created by the dozens of government agencies as they conduct American-related business with the rest of the globe. This includes business with individual states who must also preserve digital records. Accordingly, the NDSA maintains guidance that helps government entities at all levels maintain adequate digital preservation needs. As our society reaches the end of the second decade of the 21st century, the LOC maintains a robust partnership with states and other stakeholders throughout the globe, these partnerships help preserve digital records related to business they do with the U.S. federal government.

PRESERVICA TAPS FORMER OPENTEXT EXEC FOR BOARD SEAT Preservica, a market leader in SaaS-based active digital preservation, welcomes enterprise information management veteran John Shackleton to its board to spearhead the company’s next phase of global expansion. Shackleton will play a hands-on role in guiding the Preservica board and management team as it further scales the business through product innovation and key partnerships. U.S.-based Shackleton will also work with Preservica’s growing Boston, MA team headed by CEO Mike Quinn as the business continues to rapidly expand in North America. Steve Curl, the current Chairman, will step down but continue as a non-executive Director. Shackleton draws on an impressive 30+ year track record of success in the software industry, including driving significant growth while President and CEO at OpenText. Under his leadership the company grew revenues from $60 million to over $1.3 billion to become the world’s leading independent provider of Enterprise Content Management (ECM) software. Shackleton stated, “Preservica has a disruptive cloud-based platform that uniquely addresses the challenge of ensuring digital content is accessible and usable over decades. Legacy enterprise content management and archiving vendors are failing to address this, which means Preservica has already attracted an impressive customer base of enterprise, government, education and cultural organizations. Working with Preservica users and the wider community I see an exciting opportunity to make digital preservation an integral part of every organization’s content strategy.” Preservica’s technology is well-positioned as the volume, diversity and complexity of digital objects continues to grow along with the pressure to decommission legacy applications and meet increasingly stringent industry regulations, statutory government mandates and privacy compliance, like the GDPR and CCPA. Preservica CEO Mike Quinn, commented, “Everyone at Preservica is delighted that John will be actively working with us on our next stage of expansion. It reflects a real confidence in the vision and opportunity for the business and builds on the recent $10 million series B investment from Mobeus Equity Partners. John’s experience will be invaluable as we collaborate with existing and new customers to make digital preservation a seamless and automated part of the content and records lifecycle.” INFORMATION GOVERNANCE WORLD

EMERGING TECHNOLOGY PROTECTING IOT DATA THROUGHOUT THE DIGITAL TRANSFORMATION JOURNEY BY BASSAM ZARKOUT

OVERVIEW Being an Information Governance (IG) professional and an Internet of Things (IoT) professional, I tend to write about governance issues in relation to IoT. In this article I would like to provide an overview of the important term data protection within an IoT context, how data protection impacts digital transformation, and discuss the role of IG professionals in this regard. This article comes with a warning to the reader. It contains several important 1 terms and acronyms that IG professionals should familiarize themselves with. Without doing so, you may not understand crucial points. IOT IoT is defined as: • The ability to configure sensors on things in order to capture operational data, • Exploiting that data by gaining insight about the operation of these things, and then • Controlling and altering the behavior of these things. Ultimately it is about producing “better outcomes” in terms of new business models, enhanced productivity, and reduced downtime. This is a mouthful of a definition. However, the concept of IoT is straightforward: you Detect, you Derive, you Decide, and then you Do. We are witnessing an explosion of IoT solutions2, yet most people outside of the tech sector are unaware of this; an explosion sometimes hidden from the untrained eye. The arrival of 5G and artificial intelligence (AI), and their fusion 3 into IoT, will lead to hyper-connectivity and exponential growth in the number, scope, and adoption rates of IoT solutions. This will transform the world as we know it. The explosion of IoT solutions is also leading to an exponential growth in the volume of IoT data (audio, video, sensor readings, etc.) produced, stored, consumed, and exchanged. This volume of data is expected to surpass the data volumes accumulated in our business systems. This data needs protection and governance throughout its

lifecycle, and some of it needs to be forensically preserved for legal and regulatory purposes. DATA PROTECTION IN IOT Let me switch gears to data protection. I am active within the Boston-based Industrial Internet Consortium® (IIC). This is a community of IoT vendors and organizations who represent the ‘Who’s Who’ in the IoT industry. Over the past few months, I have worked with a talented team of security experts from prominent IoT product and service providers to produce a whitepaper titled Data Protection Best Practices 4. The paper was recently published and is getting very positive feedback from the market. Stacey on IoT called it a “great read.” 5 When we started working on the paper, I asked the team whether there was an industry-wide definition of the term data protection. Market perception among my security colleagues is that data protection and data security are synonymous. But if this is the case, why have two terms? There must be more to it. A week later I attended a conference on data privacy where Dr. Ann Cavoukian, one of the world’s authorities on data privacy, was the keynote speaker. I asked her to define data protection. Her answer was unequivocal “this term means data privacy… the D and the P in GDPR stand for Data Protection.” For our paper, we decided to use the term data protection as an umbrella term that covers several adjacent domains: data security, data integrity, data privacy, data confidentiality, data lifecycle management, data residency, etc. These domains are well defined in the industry with established procedures and best practices. These domains can also overlap and be interdependent on each other. We described the best practices for these domains at 5,000 ft level, covering the three main states that data can exist in: data in motion, data at rest, and data in use. The diagram at the top right illustrates this approach:

REFERENCE: [1] These are: IoT, AI, 5G, Digital Transformation, data protection, edge computing, data at rest, data in motion, and data in use [2] Smart homes, smart buildings, smart cities, smart grids, intelligent transportation, healthtech, insuretech, smart agriculture, smart manufacturing, smart power grids, etc. [3] Intelligent Connectivity [4] Data Protection Best Practices: An Industrial Internet Consortium White Paper (Version 1.0), 07-15-2019 https://www.iiconsortium.org/pdf/Data_Protection_Best_Practices_Whitepaper_2019-07-22. pdf [5] IoT news of the week for July 26, 2019, Stacey on IoT, https://staceyoniot.com/iot-news-of-the-week-for-july-26-2019/ [6] IoT hardware manufacturers, integrators, solution developers, solution deployers and solution operators [7] Thomas Siebel, Digital Transformation: Survive and Thrive in an Era of Mass Extinction, 2019.

INFOGOVWORLD.COM

IoT Trustworthiness Data Integrity Enforce integrity and immutability

Security

Privacy

Reliability

Resilience

Safety

Encrypt Anonymize Encrypt Anonymize

Data Confidentiality

Enforce holds and immutability

eDiscovery & Holds

Control authorized data sources

Control data transfers across jurisdictions

Data Residency

Establish trust between end-point using Authentication Prevent unauthorized access

Other (tbd)

Data Protection and the important role of Data Security

Two important points to highlight in this diagram (IoT context): • Data security plays a central and enabling role in data protection • Data security plays a critical role in domains that are normally associated with the physical world: safety, reliability, and resilience of IoT systems. Failure to apply appropriate data security measures can lead to serious consequences: -Service disruptions that affect the bottom-line -Serious industrial accidents that can lead to life-threatening injuries and environmental damage

Drivers (internal, external) Drivers (internal, external) Drivers (internal, external) Shifting market requirements Shifting market requirements Shifting market requirements Evolving sensor-driven technology Evolving sensor-driven technology EvolvingGrowing sensor-driven technology data protection concerns Growing data protection concerns Changing CX/UX needs Growing data protection concerns Changing CX/UX needs Changing CX/UX needs

-Major data leaks that can result in significant losses, heavy regulatory fines, loss of IP, and negative impact on brand reputation IMPACT OF DATA PROTECTION ON DIGITAL TRANSFORMATION Now let us talk about Digital Transformation. But, let me first cover two related terms. Digitization is the process of making information available and accessible in digital format and Digitalization is the process of applying digitized information to simplify operations. Digitization and Digitalization are prerequisites to Digital

Transformation. (source: SAS) On the IoT side, Industrial Digital Transformation (IDX) is often a “do or face extinction proposition.” It is a Caterpillar to Butterfly transformation and NOT a Caterpillar to Better Caterpillar evolution. It is the realignment associated with the application of digital technologies towards business and industrial models and processes, for the purpose of producing better outcomes. The diagram below sums up this definition at a 10,000 ft level: Internal and external drivers are

Industrial Digital Transformation

Industrial Digital Transformation IoT Trustworthiness

Business Factors  • Strategy Business Factors  • Organization Business Factors •• Strategy IT-OT Convergence • Strategy •• Organization Budgets • Organization Supply Chains •• IT-OT • IT-OTConvergence Convergence • Budgets • Budgets • SupplyChains Chains • Supply

Source: IGnPower

Technology Factors  Governance Factors  IoT Trustworthiness • Cloud • Laws & Regulations Technology GovernanceFactors Factors  • 5G Technology Factors Factors • Standards Governance •• Cloud Cloud •Practices Laws & Regulations • Cybersecurity • Best • Laws & Regulations •• 5G 5GConvergence • Standards • IT-OT • Jurisdictions • Standards • Distributed Ledger •• Cybersecurity Cybersecurity • Best Practices • Best Practices • AI &IT-OT Analytics •• IT-OT Convergence • Jurisdictions Convergence • Jurisdictions • AR/VR Ledger •• Distributed Distributed Ledger •• AIAI& &Analytics Analytics •• AR/VR AR/VR

Better Outcomes Better Better Outcomes Outcomes New business models New business models New business models New partnership modelsmodels New partnership New partnership models New operational modelsmodels New operational New operational models Newrevenues service revenues New service New service revenues field services New field New services

New field services

Source: IGnPower

Source: IGnPower INFORMATION GOVERNANCE WORLD

EMERGING TECHNOLOGY compelling organizations to transform the way they operate and ultimately bring about significantly better outcomes. This is done by applying three types of change factors: Business, Technology, and Governance factors. IoT is one of the key enablers of IDX. Throughout their IDX journeys, organizations across the IoT solution supply chain6 must first assess the current levels and states of trustworthiness (security, privacy, reliability, resilience, and safety) of their IoT systems; second, define the corresponding minimum and mandatory levels of compliance; and third, develop and execute strategies for achieving and sustaining compliance with the minimum IoT Trustworthiness requirements throughout the IDX journey. THOMAS SIEBEL ON DIGITAL Transformation7: The technical name for IoT–cyber physical systems–describes the convergence and control of physical infrastructure by computers. We see IoT everywhere––connecting devices in value chains across industry and infrastructure and generating terabytes of data every day. Data produced, stored, consumed, and exchanged by IoT systems MUST be protected (in motion, at rest, and in use) This protection must be applied throughout the IDX Journey and beyond. Failure to do so can lead to serious disruptions and interruptions in that journey, putting in question the ability of the organization to achieve the intended better outcomes within the set timelines and budgets. CONCLUSION Protecting IoT data throughout the Industrial Digital Transformation journey is key to the success of that journey. Data protection strategies must be designed to mitigate multiple types of risks to data in all their states: at rest, in motion, and in use. Failure to do so can lead to serious consequences for IoT systems, such as service disruptions, serious industrial accidents and personal harm, loss of IP, regulatory fines, and negative impact on brand reputation. This requires the active engagement of the Business, Operations, CIO, CISO, and CDO organizations. The governance of the IoT data overlaps with and in some cases can be an integral part of data protection efforts. Thus IG Programs, which are typically focused on IT data, need to be aligned and perhaps integrated with data protection activities and processes. It behooves IG professionals to gain knowledge and understanding of IoT systems, the context of the IoT data that these systems produce, store, consume and exchange, and finally how they can contribute to the data protection efforts in the organization. BASSAM ZARKOUT IS THE FOUNDER AND EXECUTIVE VICE PRESIDENT OF IGNPOWER IN OTTAWA, ONTARIO, CANADA. HE HAS IMPLEMENTED INNOVATIVE VISIONS FOR MULTI-JURISDICTIONAL IG PLATFORMS THAT INCLUDE IOT DEVICES. HIS INTERESTS INCLUDE ARTIFICIAL INTELLIGENCE, BLOCKCHAIN, GDPR AND PRIVACY BY DESIGN. HE MAY BE REACHED AT BZARKOUT@IGNPOWER.COM

INFOGOVWORLD.COM

IoT & HEALTHCARE FACILITIES DATA MANAGEMENT BY BAIRD BRUESEKE

ccording to IDC, the IoT market will reach almost $750 billion this year. A major problem that the IoT brings is the rapid accumulation of large amounts of data. The adoption of IoT technology is resulting in previously unimaginable amounts of data. According to Help Net Security, in 2025 there will be 41.6 billion IoT devices on the internet generating 79.4 zettabytes of data. This represents a real challenge for healthcare facilities managers who find themselves having to manage more and more IoT-enabled smart buildings and the equipment within them. Traditionally, the role of facilities manager dealt with physical infrastructure and mechanical devices. Now, commercial buildings are outfitted with equipment that generates significant levels of data such as electrical usage, temperature sensors, air flow volumes, and water flow measurements. Specifically, healthcare facilities have implemented IoT technology to ensure the comfort of their patients. Going forward, the facilities manager will have to work with the IT department to develop a facilities data analytics strategy to ensure that the IoT datasets do not become unmanageable. In order to prepare for the coming onslaught of IoT data, the facilitates team should address this task first: Prepare the data infrastructure. Many IoT devices collect more information

Where the IoT will be used in 2025 Percentage of all distributed devices, ranked by industry

Business/manufacturing: Real-time analytics of supply chains and equipment, robotics 40.2%

Healthcare: Portable monitors, electronic recordkeeping, drug safeguards 30.3%

Retail: Inventory tracking, phone purchasing, consumer analytics 8.3%

Security: Biometric/facial recognition locks, remote sensors 7.7%

Transportation: Self-parking cars, GPS, performance tracking 4.1 %

Other

9.4%

Source: Strategy Analytics, McKinsey Global Institute than is necessary. It is critical to develop a data plan focused on organizational goals such as reduced energy usage or enhanced customer experience via optimized lighting and temperature control. This can be accomplished by identifying the most relevant and valuable data, determining the sample rate, and then calculating the amount of storage space necessary for a day, a week, a month, and then a year. It is important to identify both

short-term and long-term storage requirements. For example, it may make sense to keep daily data for 30 days and then covert the values into monthly averages that can be stored as a single record, replacing the multitude of daily entries. The next priority is Data Security. The networked connectivity of devices brings with it significant security challenges. The Target Data breach started with the infiltration of their air conditioning system. It turns out

that in many stores, the Point of Sale (POS) devices were connected to the same flat network as the A/C systems. The facilities team must coordinate their IoT usage with the CISO to ensure that facilities network is safe and segmented from other corporate network functions. Healthcare organizations must address the overlapping security roles that exist between IoT devices that monitor bio-metric data and IoT devices that monitor environmental data within the rooms used to provide patient care. The final step is contingency planning. What happens when the smart meters stop talking? Is it possible to operate the building safely or does it need to be evacuated? Are the computers used to monitor the IoT sensors running current operating systems or are they stuck on Windows 95? Are the computers that manage the control systems backed-up on a regular basis? How long will it take to restore them in the event of a computer failure? The IoT has brought several new dimensions to the Facilities Managerâ&#x20AC;&#x2122;s job description. Forward thinking companies will invest in their future by ensuring these individuals have the skills and training necessary to do their job well. INFORMATION GOVERNANCE WORLD

BANKING & FINANCIAL SERVICES

BANKING ON IG: AN INTERVIEW WITH MATTHEW BERNSTEIN

atthew Bernstein is the founder of MC Bernstein Data. The company helps organizations meet the significant and increasing IG risks they face by changing the way systems and people manage information. They employ a proprietary Information Governance Operating Framework to efficiently assess and remediate IG risks. Their â&#x20AC;&#x153;Information Management as a Serviceâ&#x20AC;? enables firms to

INFOGOVWORLD.COM

meet their IG objectives by implementing the necessary capabilities without building resources and operations. IGWorld: Where did you grow up and go to school? I grew up in Forest Hills, Queens, in New York City, and went to the local public schools. It was a great place to live; a combination of city and suburb. Things got more interesting when I went to Stuyvesant High School and then to Harvard, both of which attract some very smart

people. One of my college classmates won the Nobel Prize in Physics for his work on the origins of the universe! When and why did you become interested in IG? About twenty years ago I was asked to develop a “system” for consolidating and analyzing investment information for Deutsche Bank’s “opportunistic real estate” investment funds business. The investments were very diverse and there was very little available technology to support the industry, so I wound up both defining our standards and leading our IT development. Subsequently, I led similar efforts for all of Deutsche Asset Management’s institutional business, which was about €400 billion of assets. Then, in the midst of Deutsche Bank’s most difficult period of regulatory investigations, the COO asked me to address Deutsche’s IG challenges at the enterprisewide level. That led to my last position with the Bank, where I established and built the global Group Information and Records Management function, covering Records Management, Archiving, and eDiscovery Operations. This was both the retention of data—including electronic communications and voice, unstructured, and application data— and data retrieval operations for legal and regulatory inquiries. Together with the Bank’s CISO and CDO, I was responsible for IG for an enterprise with more than 100,000 people in over 60 countries in multiple businesses. The progress we made in creating an enterprise-wide operating model that addressed the Bank’s issues was very satisfying. What developments have you seen in the IG space and what trends do you see emerging? I think there are two developments that are “trending” and will come to dominate concerns and efforts in Information Governance: Data Privacy and the rise of the Chief Data Officer. The head of Records Management at a large bank said

“

I think the increased profile of data privacy—now a concern of consumers, regulators, and politicians—will force a fundamental change in expectations of how well companies govern and manage their information.” to me, “GDPR is the best thing that ever happened to records management,” because it forces companies to engage in IG efforts more broadly and deeply. I understand that perspective, but I’d go further. I think the increased profile of data privacy—now a concern of consumers, regulators, and politicians—will force a fundamental change in expectations of how well companies govern and manage their information. Managing data privacy issues relates directly to the other trend: as companies are more and more reliant on finding value in their data, and CDO activities proliferate, conflicts between exploiting data and misusing data will arise quickly and pervasively. Effective IG will require the IG professional to work more closely with CDOs, otherwise “business value” drivers will overcome good governance. I think the IG challenge for the 2020s will be enabling the aggregating, manipulating, and analyzing of information, while complying with the letter and spirit of burgeoning world-wide privacy rules. What are the biggest challenges that companies face when

embarking on an information governance program? There are a lot of good ideas out there already about embarking on an IG program. But, from years of managing operations functions in companies small and large, I think more attention should be paid to building and assuring “sustainable performance.” I see many IG programs launched as “spot solutions,” in response to a problem arising from a business deviating from good IG practices (sometimes because no good “practices” were ever established!). But, after things are ‘cleaned up,’ how do organizations stay in compliance, as people, processes, and technology environments continue to evolve, change, and diverge? Building “Information Governance” concerns into a company’s “operating model” is as important as incorporating other operating risk issues, such as cybersecurity and business continuity, if a company is to avoid repeat failures. And new kinds of IG knowledge are needed to successfully grapple with diverse data types, sources, and repositories. So the challenge, both for starting and sustaining an IG program, is the breadth of enterprise knowledge and expertise required. INFORMATION GOVERNANCE WORLD

BANKING & FINANCIAL SERVICES Tell us about your new entrepreneurial venture. What was your primary motivation in founding MC Bernstein Data? In leading the IG strategy and operations functions at Deutsche Bank, I saw that an integrated enterprise view was necessary and lacking. And I came to realize that this is true for many organizations: responsibilities are fragmented, regulatory intelligence and governance are not a core competency, data is widely distributed, policy communications and controls are inconsistent, and business units are left to fend for themselves. I saw an opportunity in the market to offer guidance that would incorporate the broad range of expertise necessary to address these diverse issues and create sustainable performance. So, our Assessment and Remediation offerings account for the necessary integration of multiple disciplines, across governance, process, and technology. In addition, many companies prefer not to build out non-core functions, but rather to obtain those on a contract basis. Our Information Management as a Service offering provides resources and expertise to develop and run records and personal data information governance—drawing on our operational experience—and avoid significant infrastructure and operational investments. What are your firm’s competitive advantages? Firstly, experience: the senior members of our team have all held senior management positions in information governance operations functions in global financial services businesses. Secondly, we provide a single point of service for governance, technology, and process expertise. And lastly, we provide sophisticated and efficient assessments, remediation recommendations and strategy, and the services to maintain compliance. For example, Lynn Molfetta, who leads our Information Management 60

INFOGOVWORLD.COM

as a Service offering, was the Global Head of Records Management at Citigroup and then Deutsche Bank, and provided services to multiple business lines and operating functions in jurisdictions across the world. We focus on process maturity, rather than on “outcome” maturity; we know what capabilities are required to deliver the desired long-term results. Our proprietary Information Governance Operating Framework enables us to efficiently assess an organization’s current processes, succinctly describe the current state of information governance risk and business objectives, and then work with management to determine and deliver the desired objectives – whether with internal or external resources. What are the biggest threats and opportunities? Massive amounts of available data, commoditized IT infrastructure (storage and compute), and presumed value to be extracted create incentives to keep, store, and process everything, yet the risks associated with not governing this data are growing. Companies are more and more reliant on finding value in their data, while at the same time the public, regulators, and politicians are increasing their scrutiny of how companies use consumers’ data. What are you most optimistic or concerned about? I think companies should be much more concerned about the increasing IG risks resulting from the proliferation of “external data.” We see this in acquisitions and divestitures, service providers, “SaaS,” social media, cloud computing, “Bring Your Own Device,” and collaboration tools. I was recently advising a client who provides an exciting new employee feedback tool, delivered as a Slack channel, and hosted on Google Cloud. This raises some interesting challenges around information lifecycle management and privacy.

“

I’m optimistic about advances in technology that support IG. “Data discovery” tools increasingly enable us to “search, not sort...” I’m optimistic about advances in technology that support IG. “Data discovery” tools increasingly enable us to “search, not sort,” tackle the myriad types of unstructured data, and move more quickly than data catalogue development projects allow. “Regulatory intelligence” tools support a knowledge base of retention and privacy requirements, align those to business units, and efficiently distribute this information to systems and business units. Finally, what hobby or special skill do you have that might surprise your colleagues? I collect 19th-century photography; images from the “invention” of photography in 1839 until the turn of the 20th century. I find these pictures fascinating because people were trying to understand what this new medium was intended for—art, documentation, journalism? While at the same time, its use was exploding. When you look at the great images of classic photographers from the mid20th century, say Edward Weston, you know they were intending to create art. But what was Peter Henry Emerson intending when he took his very beautiful photos of fishermen and farmers in Norfolk in the 1880s? There’s a lot to look at and think about.

News

4 TOP FINTECH TRENDS FOR 2019 1. REGTECH GROWS UP “Regulatory Tech” focuses on using technologies like AI to automate compliance research and to manage regulatory processes. A new set of startups has attacked this segment. Key application areas of RegTech include tracking financial transactions in real-time to create accurate financial reports, lowering the risk of money laundering, cutting costs related to manual data entry, and improving data protection. According to Reuters, globally, investments in RegTech is expected to grow up to as much as $120 billion by 2020. 2. MORE INTELLIGENT CHATBOTS AI powered, voice-operated services increasingly play a role in improving the way AI chatbots analyze large pools of unstructured data which has made these tools far more effective. IBM’s Watson Assistant, for instance, leverages a client’s chat history to predict and intelligently direct clients to answers, or to human service reps, if necessary. According to Research and Markets, AI in the fintech market is valued at $6.84 billion in 2019 and is expected to reach as high as $26.92 billion by 2024 registering a CAGR of 31.5% during the forecast period (2019 – 2024). 3. BIG TECH GETS IN THE GAME Amazon Payments (online payments platform for Amazon accounts) started up in 2018 and already has 33 million+ users, and Amazon Lending lent more than $1 billion dollars to its platform sellers between June 2016 and May 2017. China’s Alibaba (through Ant Financial) and Tencent also jumped into the financial services business. 4. BLOCKCHAIN, BLOCKCHAIN, BLOCKCHAIN Distributed ledger tech—the underlying system that powers cryptocurrencies such as Bitcoin or Ethereum––aims to change monetary transactions and the financial sector dramatically. Blockchain has been slowly taking over the traditional banking system. Why? One of the reasons is the reduction of paperwork as it updates the digital ledger in real-time while storing all records in a highly tamper-resistant ledger. Developments in blockchain payments are likely to continue, though visions of decentralized finance and peer-to-peer lending are still distant.

THE RISE OF FINTECH AND ITS IMPACT ON THE FINANCIAL WORLD The University of Southern California’s Marshall School of Business convened a workshop on the latest developments and future prospects arising from the convergence of banking and financial technology, or “fintech.” The event was co-sponsored by the Institute for Outlier Research in Business, Lexant Advisors, and Berkeley Research Group. The Institute for Outlier Research in Business (iORB) provides resources for researchers, managers and policy makers to encourage, fund, and reward outlier research through entrepreneurial programs and initiatives. “This revolutionary event brought together bankers, academic researchers, and leaders at pioneering fintech companies to collaborate and address some of the most challenging business and big data issues facing our rapidly evolving sector,” said Gerard Hoberg, Professor of Finance and Business Economics at USC Marshall. Walt Mix, Managing Director and Financial Services Practice Leader with Berkeley Research Group, kicked off the corporate presentations with a description of the big picture on the regulatory, business, and fintech environment. He discussed the rise of fintech and its impact on the financial world. Additional program highlights included: - Jeff Keltner, Head of Business Development for Upstart Finance shared how the company has successfully developed and deployed machine learning to extend consumer loans, now reaching $4 billion while meeting regulatory requirements; - Daniel Mason, VP Strategy and Operations of Spring Labs described the challenges facing the credit score business and suggested some technological solutions; - Victor Ardulov, CSO of Calypso AI shared his years of experience in helping financial institutions by using big data to meet and even surpass compliance requirements; - Rich Finkelman, Partner with Vista Analytics updated the latest R&D on mashing learning and AI. - Juan Suarez, VP Legal with Coinbase––a leading bit coin company in the United States––shared with the audience the latest developments in blockchain operations, financial data mining, and bitcoin trading. The session concluded with a robust discussion covering a wide-ranging subjects from the core themes of the conference to international business issues with active audience participation. INFORMATION GOVERNANCE WORLD

BANKING & FINANCIAL SERVICES

DEVIE MOHAN: FINTECH FROM ACROSS THE POND

evie is a fintech marketing strategy and research professional with years of experience.She has worked in strategy, marketing, and analysis roles in firms like Goldman Sachs, Thomson Reuters, Ericsson, IBM, USAID, and SunTec. She is a consultant and researcher for several fintech startups, banking innovation groups, and investors with a keen understanding of the trends and activities of startups, banks, and investors in the space. Devie has a good understanding of the international financial and technological markets, having grown up in India and lived in global financial centers like London, Stockholm, Washington DC, New York, and Mumbai.

INFOGOVWORLD.COM

Having travelled to over 50 countries and worked with teams in over 47 countries, she understands and analyzes regional technology trends and market developments. With a computer engineering background, she is also passionate about inspiring young women to find success in technical fields. IG World: Where did you grow up? Go to school? I grew up and studied in a town in southern India (small by Indian standards, but still has around 900,000 people) called Trivandrum. It is very much a coastal town with lovely beaches, lots of tourists and a laid-back culture. I then went on to do management programs in the U.S., Switzerland, China, and the UK.Â

“

What did you study at university, and was your favorite university course? I studied computer engineering when it was still a relatively new career path in the 90s. Computer programming is very much on trend as a career now, but back then, it was quite exploratory and an adventure, trying out how to program everything from microprocessors to websites, but without the help and support of highspeed internet! We had some wonderful teachers on the course who guided us through this exploratory world and told us about the highly innovative things being built around the world. I especially loved a subject called Logic Circuits Design. What is your idea of a perfect day? My idea of a perfect day is one where I get to do all my favorite things—work on a very interesting project (usually at Burnmark), spend time with family, and eat good food. Ideally, by the sea. What prompted your interest in the fintech industry? I studied technology for my degree, but studied Finance, Marketing, and Strategy for my MBA. I had worked with both technology firms (IBM, Ericsson, etc.), finance firms (Goldman Sachs, Thomson Reuters, etc.), and fintech was a great way to merge all my knowledge and experience accumulated in both industries. I got into the industry by writing and blogging, and moved on to advise startups and banks on how to survive, compete, and collaborate in the fintech world. How has fintech changed in the last decade? What are the most exciting or promising changes or trends? I feel nostalgic about this sometimes—in the early days of fintech, my days were filled with observation and learning. I have met, or spoken to, most of the startups launched in the early 2010s and had a very good eye for future success. I could predict the future trends of fintech and technologies in my sleep.

I spent 20 years learning various styles of Indian classical dancing. I could dance on a brass plate with a pot balanced on my head!” However, the data and the truth are now more murky due to a lot of money spent on PR by fintechs as well as banks, and the sheer number of startups. I launched Burnmark to create a system to address this. We spend hours analyzing data and looking at what startups are doing to address the reality of the fintech world. The fintech industry cannot purely be measured by numbers though, the personal stories and innovations coming out of unexpected sources are equally important to capture. What has been the impact of GDPR on the fintech industry? I think it’s great that more regulations are focusing on the general public’s desire for privacy and security, and having ownership of their own data. It’s been expensive for the industry, but absolutely essential to get done. What advice do you have for those trying to innovate in the fintech segment? Be authentic. Don’t go by what others have done in the past, and where multi-million funding rounds have been raised, but find your own area of the market where you can excel. The money will follow. If you could have dinner with living people, who would they be,

and why would you choose them? Queen Elizabeth II (one of the women I admire the most, someone who’s offered stability to this country more than anyone else); Michael Schumacher (someone I’ve admired for decades); Phoebe Waller-Bridge (who I think is the best contemporary writer we have). What special skill or hobby to you have that might surprise your colleagues? I spent 20 years learning various styles of Indian classical dancing. I could dance on a brass plate with a pot balanced on my head! What do you like most about living in London? What is your favorite London lunch or dinner place, and why? I have been to 52 countries, but nothing compares to living in London! I have been here for 15 years now, but I still discover new neighborhoods and streets and food joints almost every week. You can walk into a new part of London and feel like you have arrived in another country. It’s unexpected. It’s gorgeous. I have too many favorite places to count! My current lunch favorite is the Waiting Room in Deptford for vegan food. My dinner favorite, though clichéd, is Dishoom. INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE TRADE SHOWS & CONFERENCES Using Smart Contracts and Developing Measurable Metrics for IG. https://www.arma.org/events/EventDetails. aspx?id=1166128&group=

Fremont Street Experience, Las Vegas

IAPP PRIVACY. SECURITY. RISK. – 2019

September 22-25 (Las Vegas) Attendees to this conference will learn how privacy and technology can work together to make innovation and data protection synonymous. Speakers will tackle topics ranging from AI to the Internet of Things at a practical, operational level. Learn solid fundamentals such as key indicators for managing risk and conducting effective Privacy Impact Assessments (PIA). The Jan. 1, 2020 CCPA deadline will be here quicker than you imagine. Prepare for success by hearing from the people at the forefront of shaping of the law. The IAPP Privacy. Security. Risk - 2019 conference will provide the forum to make connections at world-class Networking Events. The breakout sessions will be operationally focused to ensure the transfer of practical information. Topics include: Digital Identity, Dark Data and a breakout session entitled, “What Would You Do?” that will give attendees the opportunity to match wits with top data protection officers from GlaxoSmithKline, T Rowe Price and the Four Seasons Resort Hotels. https://iapp.org/conference/privacysecurity-risk/ What to do in Las Vegas If you want some action that is not on the strip, try Fremont Street. At Binion’s, you can take your picture in front of a million dollars in cash. There is also a Zipline that starts off more than 7 stories (77 feet) in the into the sky. At night, you can enjoy the Fremont Experience which includes a light show of unparalleled proportions. Checking into the Golden Nugget, you will have an opportunity to share their 64

INFOGOVWORLD.COM

swimming pool with five different species of sharks! The Stratosphere offers a scary ride, the X Scream which thrusts riders over the edge of the 100-story building in a way that lets thrill seekers dangle high in the sky. The Big Apple Coaster at New York, New York is a kilometer and a half of high-speed twists and turns with speeds approaching 50 mph. Las Vegas is a place where everyone can find activities they enjoy! https://notaboutthemiles.com/best-thingsto-do-in-las-vegas/

ARMA INFOCON 2019

October 21-23 (Nashville) The ARMA Conference is the premiere event for records and information management professionals to learn and share industry best practices. IG providers and key corporate stakeholders will get in-depth, groundbreaking educational content for the full information lifecycle. This year’s conference is being held at the Gaylord Opryland Resort and Convention Center. It will feature several workshops including Advanced Technologies, Information Management Fundamentals, Information Projects and Risk Reduction. ARMA InfoCon 2019 is a 3-day event which features non-stop presentations on current and timely topics. Presentation titles include: Cloud Risk and IG: What you need to Know; Cyberattacks and IG Today – You Be the Judge; Coping with Orphaned Information Assets; Panning for IG Gold; File Analysis 101; Tidying Up Share Drives: How Charter Communications Addressed the Challenge; Blockchain Technology:

Jack Daniels Distillery, Nashville

What to do in Nashville Nashville is home to many music legends and the places they made famous. The “Grand Ole Opry” stage is definitely something to see. The Country Music Hall of Fame and Museum and historic Ryman Auditorium are in downtown Nashville, as is the “District” which features honkytonks with live music and the Johnny Cash Museum. The musical spirit lives on in local musicians and headliner talents who perform in venues around the city. Nashville is located on the Cumberland River and there are paddle wheel steamers which offer lunch and dinner cruises. Site seeing opportunities include the Belle Meade Plantation and Andrew Jackson’s Hermitage. Tennessee is also famous for its whiskey, and there are many local varieties to sample and tour buses will take you to the Jack Daniels distillery. https://traveladdicts.net/things-to-do-innashville-tennessee/

ASSOCIATION OF CORPORATE COUNSEL (ACC) ANNUAL MEETING

October 27-30 (Phoenix) The ACC’s Annual Meeting provides In-Housel Counsel with the chance to connect, network and learn from their peers. Trevor Faure, former Global General Counsel of Ernst & Young is the keynote speaker. He will discuss, Smarter Law: From Emotional to Artificial Intelligence, Transforming Busy Lawyers into Business Leaders. The meeting features over thirty presentations from practicing professionals including: Best

Practices in Legal Operations using the Legal Operations Maturity Model; 67 Legal AI Solutions in 67 Minutes; AI, Innovation and Predictability in eDiscovery; Lessons Learned from the Fortune 500: Implementing an Effective Compliance Program; eDiscovery in the Age of Emerging Applications; Preventing Employees from Hoarding Documents; Managing Spend and Showing Value. https://www2.acc.com/ education/am2019/?acc_ source=EducationEventsPage&acc_ campaign=Am2019 Camelback Mountain, Phoenix

What to do in Phoenix Phoenix is known for its year-round sun and warm temperatures. In October, the average temperature ranges between 65 at night and 85 during the day, perfect weather for those folks wanting one last taste of summer before returning to the cold winters of the northeast and Midwest. Camelback Mountain is a great place to go hiking. It is an iconic peak which offers spectacular views of Phoenix and the surround valley. The surrounding desert is an arid landscape best seen from hot air balloons. Riverview Park has excellent walking trails and access to the Arizona State University Campus. The Pointe Hilton Tapatio Cliffs Resort has wonderful cuisine. Its location at the top of a mountain provides awe-inspiring views which complement the dining experience. No description of Phoenix activities would be complete without mentioning the myriad golf courses, many designed by famous players including Jack Nicklaus. For the adventurous with the time for a side trip, the Goldfield Ghost Town is a glimpse into the 1890s western era. Activities include gold-mine tours, Old West gunfights, a history museum & more. https://www.visitphoenix.com/things-to-do/

INFOGOV WORLD IG & INFONOMICS SUMMIT Nov 5, 2019 (New York)

IG World Magazine is holding our second IG & Infonomics Summit on Tuesday, Nov. 5 in New York to educate C-level executives and IG leaders on how to leverage information value. The Summit will be held at the elegant, award-winning Hotel Michelangelo in New York. Presenters include Rich Kessler (KPMG LLP), Rich Hale (Active Navigation), Neil Calvert (LinQ) with a special appearance by Doug Laney, the author of Infonomics, How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage. Attendees will participate in exercises designed to engender real world understanding of how Information Governance can be used to monetize information value using the principles of Infonomics. To register, email events@infogovworld.com. events.infogovworld.com What to do in New York New York City is full of iconic places to visit. Attractions include the Statue of Liberty, the Empire State Building, Wall Street, Broadway, the 9/11 Memorial and the One World Trade Center Observatory. Visitors who want to see the city from a different vantage point can take a New York Harbor Empire State cruise. Building, NYC Rockefeller Center is an Art Deco skyscraper and the view at the Top of the Rock is like no other. Central Park is a wonderful place to relax and get away from the crowded city streets. Among the famous museums, two that stand out are the Museum of Modern Art, where you can see works by Van Gogh, Picasso and Warhol, and the Metropolitan Museum of Art (the Met) where you can explore a global perspective of art history. https://freetoursbyfoot.com/things-to-doin-new-york-city/

HIMSS HEALTHCARE SECURITY FORUM

December 9-10 (Boston) The HIMSS Healthcare Security Forum provides the opportunity for you to mingle with experts and peers who understand the daily challenges of providing security in a healthcare environment. This conference will provide the latest updates on new and emerging cyber threats. You will learn how to maximize your existing technology investments, hear best-practices on creating a “security-first” culture and learn how to implement a resilient security framework that supports organizational business goals and innovation. The Keynote speaker will be Michael Coates, former Chief Information Security Officer (CISO) of Twitter and Mozilla. Other speakers include Dan Bowden, VP and CISO of Sentara Healthcare, Dan Costantino, CISO of Penn Medicine, Darren Lacey, CISO at John Hopkins University and Lee Kim, Director, Privacy and Security for HIMSS. Educational tracks will include: Prevention, Leadership & Culture, Detection & Response. https://www.healthcaresecurityforum.com/ boston/2019

Boston Harbor

What to do in Boston The historic town of Boston offers visitors a plethora of interesting opportunities to see the actual venues where many important events in American history occurred. From Beacon Hill to Harvard University to Fenway Park, Boston is a treasure trove of Americana. The Boston Harbor is close at hand. Intrepid visitors may wish to throw tea in the harbor to commemorate our ancestor’s historic rebellion against British taxation. Others may wish to visit cutting edge restaurants or the local craft beer and breweries. https://www.boston.gov/visiting-boston INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE EVENTS Aug 19-21 Aug 23 Aug 24-30

IDG CIO 100 Symposium & Awards Ceremony (Colorado Springs, CO) IRMS Data Protection and Ethics (London) IFLA Libraries: Dialogue for Change, 85th General Conference and Assembly (Athens)

Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep Sep

2-3 7 8-15 13 14-18 15-17 15-18 18 16-18 22-25 23-27 26

CLOC 2019 Sydney Institute (Sydney) EDRM Technology Assisted Review Best Practices (Durham) SANS Network Security (Las Vegas) IRMS Data Ethics – It’s Legal, but is it Ethical? (London) AHIMA National Convention & Exhibit (Chicago) Nuix User Conference (Hyatt Regency, Huntington Beach) SCCE 18th Annual Compliance and Ethics Institute 2019 (National Harbor, MD) The Sedona Conference Working Group 11 midyear meeting (Montreal) HIMSS Health 2.0 Annual Conference (Santa Clara) IAPP Privacy. Security. Risk. – 2019 (Las Vegas) U.S. National Health IT Week WiE Legal Technology Showcase & Conference (Houston)

Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct

4 5 8-11 14-16 14-16 16-17 16 -18 18 20-23 21-23 23-24 24 27-30 29-30

HIMSS 11th Annual Clinical Informatics Summit (Los Angeles) WiE SoCAL Tech Conference (Irvine) RIMPA Live 35th Annual Convention (Melbourne) GICLI Gov Investigations & Civil Litigation Institute’s 5th Annual Meeting (Lake Tahoe) Privacy+Security Forum Cybersecurity + Risk Summit (Washington DC) NDSA Digital Preservation (Tampa) EDI Electronic Discovery Institute 9th Annual Leadership Summit (Lake Tahoe) SANs 2019 Cloud Security Brief (Seattle) Relativity Fest eDiscovery community including WiE (Chicago) ARMA Live! (Nashville) DAA 2019 ONE Conference (Chicago) The Sedona Conference Working Group 1 Annual Meeting (St. Louis) ACC (Association of Corporate Counsel) Annual Meeting (Phoenix) IAPP ANZ Summit (Sydney)

Nov 5 InfoGov World IG & Infonomics Summit (New York) https://events.infogovworld.com/ Nov 5-6 Forrester 2019 Data Strategies & Insights Forum (Austin) Nov 12 AIIM Forum Europe Nov 13 ILTA (International Legal Tech Association) ILTACon Europe (London) Nov 13-14 CFO Alliance CFO Live (New York) Nov 15 SANS Dark Web Briefing (Boston) Nov 19 Sedona Conference on Global Aspects of Patent Litigation (Kildare, Ireland) Nov 19-20 IIA New Zealand Annual Conference (Wellington, New Zealand) Nov 19-21 IG Basics & Advanced Classroom Training (Miami) Institute for IG, register at IGTraining.com Nov 20-21 ISACA InfoSecurity North American Expo and Conference (New York) Dec 2 Healthcare Conferences in UK - IG in Practice Masterclass (London) Dec 2-5 Black Hat Europe 2019 (London) Dec 5 InfoGov World IG & Infonomics Summit (San Francisco) https://events.infogovworld.com/ Dec 9-10 HIMSS Healthcare Security Forum (Boston) Dec 9-12 DG Vision – Data Governance & Stewardship (Washington DC) Dec 12-19 SANS Cyber Defense Initiative 2019

INFOGOVWORLD.COM

Note: events highlighted in yellow have write ups in Trade Show Section