IG World Vol 1 * Issue 2 - Winter 2019 by IG World Magazine

INFORMATION GOVERNANCE WORLD

IS THE ROLE OF DPO MEDICAL DEVICE SECURITY: MISUNDERSTOOD? A WICKED PROBLEM

ADVICE FROM LEADING IG EXPERTS

KPMG’S RICH KESSLER ON INFOGOV AND INFONOMICS

MICHAEL OSTERMAN

CCPA AND GDPR EXPAND PRIVACY REGULATIONS

The H uman

Touch

ASHISH GADNIS HIS QUEST TO END THIRD WORLD POVERTY WITH BLOCKCHAIN

VOL 1 • ISSUE 2 WINTER 2019

INFOGOVWORLD.COM YOUR GLOBAL IG RESOURCE®

DR. VICKI LEMIEUX

ON BLOCKCHAIN RECORDS

GEORGE SOCHA

FATHER OF THE IG REFERENCE MODEL

DR. PATRICIA FRANKS IG CAREER PATHS

HON. RON HEDGES E-DISCOVERY & THE LAW

ROBERT SMALLWOOD IG ASSESSMENT MODELS

Data Monetization & Infonomic$ Summit The path to leveraging information value: From Information Governance to Infonomics When: May 17, 8:00am-5pm Reception & Book Signing 5pm-6pm

Where: Talbott Hotel, Chicago Who is Invited: C-level Executives Featured Speakers:

Robert Smallwood, Institute for Information Governance

Rich Kessler, KPMG

The elegant Talbott Hotel

Ren Leming, Informu Solutions

Neil Calvert, Linq Infonomics Solutions

Special Appearance by Doug Laney, author of Infonomics

Is data the new oil? Join us and key C-level executives to understand how to navigate the journey to harvesting newfound information value. You’ll learn the principles and formulas for monetizing information from Doug Laney’s groundbreaking book, Infonomics. We’ll have insightful presentations and panel discussions, including a group lunch, then a reception where you can network with peer executives and industry leaders. The event will be held at the award-winning Talbott Hotel, a jewel in downtown Chicago’s Gold Coast. Cost: $595. Includes continental breakfast, lunch, coffee breaks, a cocktail reception, and a copy of Laney’s Infonomics. By invitation only. Request yours today by emailing events@infogovworld.com. INFORMATION GOVERNANCE WORLD

MEDIA SPONSOR

PUBLISHER’S LETTER

“

we are becoming an educational and inspirational vehicle for thousands of IG professionals around the world.”

IG World magazine started as a concept over five years ago, and now, in our second issue, it is quickly becoming the voice of the IG discipline. But beyond that, we are becoming an educational and inspirational vehicle for thousands of IG professionals around the world. Our cover story on Ashish Gadnis’ use of blockchain technology for humanitarian efforts is a moving and fascinating piece, which perhaps can inspire others to follow his lead. We publish IG content found nowhere else, including real stories and guidance from pillars of the IG community. We’re honored and gratified that leaders in IG have generously contributed their intellectual talents and insights to this issue. Some of the articles are incredibly deep and thought-provoking. Sure, we have some light reading and news stories, because our goal is to keep the magazine PHOTO BY BEN SIEGFRIED

entertaining and educational. But we also are publishing highly-sophisticated, astute advice from some of the most brilliant IG minds around the globe. And you’ll notice that we highlight the contributions of women in IG, which we see as part of our editorial mission. Women are historically underrepresented in IT careers, and we are working to change that. We have continued our focus on not only information risks and costs, but also information value, which can be derived using infonomics principles. Keeping an eye on harvesting and leveraging information value helps IG programs gain and maintain executive support. Executive leadership is the most important factor in IG program success. We’re holding our first Data Monetization & Infonomics Summit on Friday, May 17, at the fabulous Talbott Hotel in Chicago’s Gold Coast Historic District, to educate C-level executives and IG leaders on how to leverage information value. Doug Laney, author of Infonomics, will join us and hold a book signing. Request your invitation at events@ infogovworld.com. I encourage you to attend the annual MER Conference, the best IG conference in the Spring season. I’ll be teaching our popular IGP Certification Prep Crash Course on Sunday, and will lead an IG Program Launch Workshop on Tuesday afternoon. Enjoy this issue and feel free to pass it along to your IG colleagues, or consider a team subscription. We appreciate your word-of-mouth support and also your suggestions and comments. If you have any ideas, comments, or criticisms, please feel free to send them to us directly.

Robert Smallwood CEO & Publisher

Please send your comments, suggestions, and story ideas to me at Robert@infogovworld.com 4

INFOGOVWORLD.COM

LETTER FROM THE EDITOR

“

Infonomics is the tie that binds the key sub-market segments into a unified IG market.”

Developing this issue of IG World magazine has been quite rewarding. There was real joy in learning Ashish Gadnis’ story, and understanding the blockchain lessons Vicki Lemieux taught us, and also the insightful IoT Trustworthiness journey articulated by Bassam Zarcout. Our Winter issue of IG World hits a very high mark of being educational, informative, and interesting. It was an easy decision to put Ashish on the cover. His mission to empower 100 million people out of extreme poverty is heroic in scope. To transform an idea from intent to action is a remarkable feat. The vision of connecting those who live in extreme poverty to the global supply chain using blockchain based digital identities is an idea which empowers the poor with dignity and credibility. It also provides them with a pathway to new economic opportunities. Access to a digital identity is a big benefit that opens up the future for the impoverished. It is a living example of the Intrinsic Value Index. We salute Ashish’s work and encourage everyone to support his struggle to connect global brands to the “lastmile” in their supply chains. PHOTO BY BEN SIEGFRIED

But there’s much more than our awesome cover story in this issue. We also interview five IG thought leaders including Vicki Lemieux, and IG pioneers George Socha, Richard Kessler, Ron Hedges and Dr. Patricia Franks. These interviews provide you with insights into IG and also the real people who are defining IG as it matures. The Master of Your Domain article talks about IG and Infonomics, and how businesses can measure data value. IG World postulates that Infonomics is the tie that binds the key sub-market segments into a unified IG market. To expand the educational nature of our magazine, we added a special section, IG Best Practices. We are grateful to George Socha, the co-creator of the Electronic Discovery Reference Model and IG Reference Model for making the time to talk with us. His interview provides insights into the relationship between well implemented IG programs and eDiscovery costs. And Robert Smallwood’s overview of IG Assessment models is both enlightening and comprehensive. Our intent is to provide the IG Practitioner with the information they need to implement the IG promise of reducing information risk and at the same time, setting the stage for increased information value. The IG Best Practices section provides actionable information which supports this goal. Our mission is to be the voice of the Information Governance market and your global IG resource with events like our upcoming Data Monetization & Infonomics Summit in Chicago on May 17th. Many thanks to everyone who helped us celebrate at the Launch Fiesta in Anaheim at ARMA last October. We truly appreciate your support. You are all invited to join our tribe, our community! Please sign up at subscribe.infogovworld. com. Enjoy this issue and please reach out and contact us with your comments and suggestions. It is a pleasure to be your voice!

Please send your comments, suggestions, and story ideas to me at bb@infogovworld.com 6

INFOGOVWORLD.COM

Enjoy the issue.

Baird Brueseke Executive Editor

For more information about becoming a Certified Records Manager or Certified Records Analyst contact (518) 463-8644 or visit www.icrm.org

INFORMATION GOVERNANCE WORLD

CONTENTS INFORMATION GOVERNANCE IN SOCIETY 10 12 13 13

Doctor Blockchain by Vickie Lemieux IG World Magazine Launch Fiesta Tech Innovators: The Year of the Woman Ashish Gadnis – Blockchain in 3rd world countries

INFORMATION GOVERNANCE IN HEALTHCARE 14 18 18 19

Medical Device Cybersecurity: A Wicked Problem by Ty Greenhalgh Protecting Wearable Device Bio-medical Data EHR Inter-Operability Challenges The Healthcare IG Imperative

INFORMATION GOVERNANCE BEST PRACTICES 20 24 26

The Trailblazer - Interview with George Socha Tool Time: IG Assessment Models by Robert Smallwood Perfect Ten by Bud Porter-Roth

INFORMATION PRIVACY 28 29 30 32 33 34

Playing With Our Emotions Protect and Serve? Battle of the Devices Looking Back to See the Way Forward A Timeline of Data Privacy Fails The GDPR and the CCPA by Michael Osterman

COVER STORY

DATA GOVERNANCE

42 The Human Touch - Interview with Ashish Gadnis

68 69 69

ANALYTICS & INFONOMICS 50 54

For the Record - Interview with Richard Kessler, KPMG Master of Your Own Domain by Neil Calvert

REGULATORY COMPLIANCE 56 Private Eyes

LEGAL & eDISCOVERY 58 60

Women in eDiscovery by Jessica R. Gross, Esq and Lauren Doucette, Esq Growing Up Legal by Ron Hedges

RECORDS & INFORMATION MANAGEMENT 62 65 66

The Memory Collector - Interview with Pat Franks Farm Report Findings by Andrew Ysasi Busy Intersection by Teresa Schoch

Nine Steps to Governing Data Effectively Mass Data Governance is Major Topic at World Economic Forum Collaboration is Key to DG by Merrill Albert

CONTENT SERVICES 70 71 72

Content Management’s New World Order by James C. Just What’s A BYOD To Do The Case for an Enterprise Object- Oriented Information Taxonomy by Eugene Stakhov

ARCHIVING & LONG-TERM DIGITAL PRESERVATION 74 Why Archive Electronic Content? by Michael Osterman

EMERGING TECHNOLOGY 76 IoT Trust: It’s in the Journey by Bassam Zarkout 80 INFORMATION GOVERNANCE

TRADE SHOWS

82 INFORMATION GOVERNANCE

EVENTS

INFORMATION SECURITY 36 37 38 41

Star Struck by Justine M. Phillips, Esq. Getting Schooled Stepping into Security Assessments – Metrics & Executive Engagement Reducing the Risk

INFOGOVWORLD.COM

ON THE COVER: Ashish Gadnis – Founder and CEO of BanQu Inc., fighting extreme poverty with blockchain technology. Check page 42 for his exclusive interview. Photo by Nikki Acosta, Magnetic Focus Photography.

INFORMATION GOVERNANCE WORLD

YOUR GLOBAL IG RESOURCE® VOLUME #1 ISSUE #2 WINTER 2019

infogovworld.com

CEO & PUBLISHER

Robert Smallwood COO & EXECUTIVE EDITOR

Baird Brueseke CREATIVE DIRECTOR

Kenny Boyer SENIOR EDITOR

Dan O’Brien CONTRIBUTING EDITORS

Mark Driskill, Martin Keen, Andrew Ysasi CONTRIBUTING WRITERS

Merrill Albert, Baird Brueseke, Neil Calvert, Lauren Doucette, Mark Driskill, Ty Greenhalgh, Jessica Gross, James Just, Dan O’Brien, Michael Osterman, Justine Phillips, Bud Porter-Roth, Teresa Schoch Robert Smallwood, Eugene Stakhov, Andrew Ysasi, Bassam Zarcout CONTRIBUTING PHOTOGRAPHERS

Nikki Acosta, Brian Lau, Jean Marshall, Robert Ocharo MEDIA SALES

Scott Allbert SPECIAL THANKS TO INTERVIEWEES:

Pat Franks, Ashish Gadnis, Ron Hedges, Richard Kessler, Vicki Lemieux, George Socha

YOUR GLOBAL IG RESOURCE®

infogovworld.com 1.888.325.5914

Check us out online and sign up today for a free digital subscription to Information Governance World magazine. Print subscriptions for the quarterly mag are $49/year, or $195 for five team members.

888-325-5914

subscribe.infogovworld.com INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE

SOCIETY

Doctor Blockchain VICKIE LEMIEUX, BLOCKCHAIN ADVOCATE

icki Lemieux is an associate professor of archival science at the iSchool and lead of the Blockchain research cluster at the University of British Columbia –Canada’s largest and most diverse research cluster devoted to blockchain technology. Her current research is focused on risk to the availability of trustworthy records, in particular in blockchain record keeping systems, and how these risks impact transparency, financial stability, public accountability and human rights. Where did you grow up? Go to school? I grew up in Canada. My early years were spent in Ontario, but then we moved out west when my father obtained a medical residency in Calgary, Alberta. What were your favorite activities as a child growing up? I loved the outdoors, whether playing outside with my friends or going camping with my family. I also had an early love for science, so would play with my chemistry set or microscope (catching bugs to look at them up close), or take apart clocks and radios to see what was inside. Unfortunately, I wasn’t very good at putting them back together again! What motivated you to pursue a doctoral degree? Curiosity and the quest for knowledge. I find archival science fascinating and had a desire to delve into it more deeply. What were your research interests when you pursued your doctorate? I’ve always been interested in demonstrating the wider social or organizational significance of managing records. When the

INFOGOVWORLD.COM

Jamaican banking crisis occurred while I was living in Jamaica, knowing the condition of records management in the banks, I suspected that there was a connection between what we now call Information Governance and weak risk management and internal controls at the banks, which ultimately contributed to their collapse. The dynamic that I studied for my doctorate would, as it turns out, be played out ten years later on a global scale during the global financial crisis of 2007-2008. What do you like most about teaching at the university level? I really like when I can inspire students’ learning––either in class or through working with them on a research project. I also like helping them make industry or community connections that can help them land their first “grown up” job and launch them into their careers. I experience a great deal of joy when a student comes back to tell me that what I taught them, or the opportunity that I opened for them, has really made a difference in their lives. When did you first become interested in blockchain technology, and why? I first became interested in blockchain technology at the end of 2015. I happened to be reading the Financial Times and came across an article about how the government of Honduras was going to put all of its land records on a blockchain. It sounded preposterous to me, but I recognized that here was a technology that could be very disruptive to records management and archives. I had to investigate. When I started to look into it, my IT security background came in handy. Since blockchain uses cryptography, I was able to understand

how it worked and to analyze the solution that the company working with the Honduran government was proposing. I concluded that it wasn’t very good from a recordkeeping perspective (which I wrote about in my article in “Trusting Records: Is Blockchain Technology the Answer?”). However, I also recognized the potential of blockchain technology, which, if properly designed, could be extremely beneficial in a number of ways. And, at its core, it is a recordkeeping technology—a ledger—which interested me. What are the most unique uses of blockchain technology you have seen? I can’t claim to know every application of blockchain these days—there are so many! But the use cases that I find the most unique and compelling are those that aim to give the individual data self-sovereignty; that is, greater custody and control of our data and how it’s used. I guess that’s why I’m working on projects that focus on this aspect of blockchain technology—in healthcare and in the management of data relating to Canada’s First Nations. Aside from this use case, and on a more frivolous note, crypto-kitties are pretty unique . . . and fun! They’ve opened up a whole new world of natively cryptographic tradable assets which is contributing to the growth of crypto-economics. What do you see the implementation of blockchain technology looking like in 5 or 10 years? How will this change the way the world works? Making predictions is always a mug’s game and inevitably people get it wrong, so I’ll just say what kind of a world I’m seeking to create by exploring blockchain technology. I’d like to see it be used for positive social transformation—like data self-sovereignty—so that we have greater privacy, security, and control of our data. If you think about it, if each individual is in control of their data, it will be pretty transformative and powerful. It will also certainly transform the role of records professionals. Reimagining our roles in a world of self-sovereign data is bound to be interesting. To get to this longer-term vision, we’ll have to solve a number of open issues with blockchain technology, such as devising less environmentally damaging consensus mechanisms without compromising on trust, scalability, governance without constant forks and fits, scalability, and making cryptocurrencies and blockchains understandable to and usable for all. A vexing issue with blockchain for records managers is the ability to execute disposition: that is, discard or destroy records that have met their lifecycle requirements. Have you and your colleagues determined an approach or solution that satisfies disposition requirements? Yes, agreed. This has become a vexing issue. However, I believe this is because blockchains were never designed to store large amounts of information—they were initially designed to store very simple cryptographically encoded records of cryptocurrency financial transactions. In other words, a blockchain is not a content management system. Some designers and developers have been using blockchains this way, however, embedding

all kinds of cleartext messages, metadata about transactions, even large files of data, some of them containing personally identifiable information. This not only creates a record retention problem, and a data protection and privacy compliance problem, but it causes bloat in the blockchain. In my view, it’s better to keep transaction records and personally identifiable information off the blockchain. How this is best done requires paying careful attention to data and records architecture and design. For example, one possibility is to link the ledger entry to a transaction record using a cryptographic or hash link that points to an external data store where transaction records are held. To meet records retention requirements, the cryptographic link can be severed or rendered unusable when the time comes, and the ledger record can be “pruned” (which is done even in immutable ledgers in order to save storage). Determining the best solution requires applying knowledge of recordkeeping and knowledge of different blockchain systems to arrive at an optimal data architecture and solution design. There’s no simple, “one size fits all” answer.

“

A blockchain is not a content management system. Some designers and developers have been using blockchains this way”

Who is your favorite writer, and why? Right now, I’m enjoying reading Yuval Noah Harari’s books. I particularly like Homo Deus: A Brief History of the Universe, which explores the long-term future of life and really inspired me to think about the future of recordkeeping. I discussed these ideas in a talk I gave at the UK National Archives last spring called “Datafication, Distribution and the Future of Archival Science in the Age of Homo Deus.” You can listen to it here: https://media. nationalarchives.gov.uk/index.php/big-ideas-datafication/. When and where are you happiest? I’m a scholar, so I’m happiest when I’m reading something interesting, reflecting, and writing—things that I find I frequently do not have enough time to do! What do you like most about living in Vancouver? Vancouver is a truly naturally beautiful city—we are surrounded by sea and mountains, and the weather is temperate. Not like the typically cold Canadian winter. I never get tired of the view! —Mark Driskill VICTORIA L LEMIEUX, BA, MAS, PHD, CISSP, IS AN ASSOCIATE PROFESSOR OF ARCHIVAL SCIENCE AT THE ISCHOOL AND LEAD OF THE BLOCKCHAIN RESEARCH CLUSTER, BLOCKCHAIN@UBC AT THE UNIVERSITY OF BRITISH COLUMBIA – CANADA’S LARGEST AND MOST DIVERSE RESEARCH CLUSTER DEVOTED TO BLOCKCHAIN TECHNOLOGY. SHE CAN BE CONTACTED AT V.LEMIEUX@UBC.CA

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | SOCIETY

Seth Wiliams, Chely Cruz, Robert, Maria Sloan, Mike Salvarezza

The food truck provided plenty of tacos for attendees!

IG World Magazine Launch Fiesta Over 150 delegates—far more than we expected—attended our IG World magazine Launch Fiesta last October. It was held during the ARMA Live! 2018 conference in Anaheim, on the Platinum Patio of the Marriott. The Fiesta featured Mexican music, a taco truck, passed appetizers, traditional Mexican wear, and fun for all!

PHOTOGRAPHY BY JEAN MARSHALL PHOTOGRAPHY

Robert Smallwood (center) with former students Marshall Commons, Barbara Dalton, Susan Hendrickson, Arlette Walls and Mary Arnold. Representing.

Paul Severn, Baird Brueseke (IG World), Juan Carlos Romero & Antonio Guillermo Martinez, of LibNova

Jason R Baron with sisters Maria Sloan and Chely Cruz.

INFOGOVWORLD.COM

AirBNB’s Wendy Riggs, Baird, Debbie Maxcy from Discount Tire, Charles Nguyen from NetGovern.

Cover Story

Tech Innovators:

THE YEAR

of the

WOMAN O

n April 23rd, the Women Transforming Technology consortium (wt2) will host its Fourth Annual Conference in Palo Alto. The event will feature inspiring role models and thought-leaders from the Silicon Valley tech industry. The theme of this year’s conference will be “Inclusive Innovators” who are “committed to building a community and tackling issues that are top of mind for women in technology.” This world-class community event is designed to continue the important conversation on advancing women in the workplace across the tech industry. It will host attendees ranging from students and executives to industry, academia and nonprofit organizations. Given the politically charged atmosphere of the #MeToo movement, and the record-setting burst of new female politicians, women will continue to bring inclusivity and accountability to the workplace. IG World applauds these female executives who have shattered the glass ceiling to succeed in the male-dominated world of IT. Ursula Burns was the CEO and architect of Xerox’s transformation from a company once known only for paper copies into a profitable company. Xerox successfully shed its “paper copy” business structure and developed document technology that relied on the flexibility of digital data. Burns now runs VEON, one of the world’s largest communication companies. Fei-Fei Li, Director of Stanford Artificial Intelligence Lab is an AI thought leader and innovator. Li is co-creator of ImageNet, a dataset of image objects that arguably kicked off the deep learning revolution. Additionally, Li works on issues related to using AI in education. She founded the non-profit organization AI4ALL. Entrepreneurs such as Marita Cheng entered the tech sector to solve problems relevant to their lives. As founder of Aubot, Cheng developed a robot that helps sick children attend school virtually. Cheng also co-founded Airpoly, a digital phone app that helps the visually impaired identify objects in the physical space. While the number of women in tech-sector leadership roles has increased in recent years, events such as wt2 bring to the fore women who have excelled, despite the challenges. Many have already moved beyond limits typically imposed on women in the workplace. Content for breakout sessions at the wt2 event has been developed by committees of women in tech, who have chosen the content and speakers as most relevant for women in tech community. The event is sponsored by VMware, in partnership with MotherCoders, Mozilla, Pivotal, Rubrik, Stanford VMware Women’s Leadership Innovation Lab. and Women Who Code. For more information about wt2 and to register for the event, visit http://www.womentransformingtechnology.com/. Content from the event will also be available to live stream through the website. —Mark Driskill

ASHISH GADNIS

– BLOCKCHAIN IN 3RD WORLD COUNTRIES Imagine life as one of 2.7 billion people worldwide who live in poverty. You have no identification documents, no credit, no business network, and are “unbankable.” You work and you survive with no economic identity, traceability, or support network: Small farmers, women entrepreneurs in villages, refugees living in extreme poverty—all are disconnected from the global economy that could sustain them. Then, along comes BanQu, and a man named Ashish Gadnis who offers a real solution using advanced, first-world technology. He is a Godsend for you and your family. BanQu offers the first and only blockchain records platform utilizing technology to empower the unbankable by helping them create their own economic identity—simply through a cell phone app. An award-winning blockchain-as-a-service company, BanQu fosters transparency, traceability and sustainability for farmers and refugees across the globe by connecting them to global supply chains, brands, organizations and governments. And, with identity and economic opportunity comes dignity, and a sustainable pathway out of poverty. A true calling, Ashish Gadnis has an incredible story to tell about his own struggle with poverty and how he translated his experience into a passion for helping others rise out of poverty and into the global economy. He endured hardship growing up in Bombay and standing in ration lines. He came to the U.S. to work with only $240 in his pocket. For three decades and throughout five continents, Ashish has been driven by a higher purpose, one originating from his own life experience, which is gaining him recognition for his social enterprise work in extreme poverty and conflict zones. The journey of Ashish and BanQu is one of hope, innovation, and opportunity; one that combines the determination of one man to fight extreme poverty with the promise of technology. Learn more about Ashish and his exciting mission in our cover story on page 36. —Staff

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE

HEALTHCARE

“

Robert Herjavec forecasts 2019 will experience a five-fold increase in attacks on healthcare organizations”

Medical Device Cybersecurity: A WICKED PROBLEM

ybersecurity attacks on medical devices can disrupt or deliver inaccurate patient care, as well as negatively impact business operations, resulting in staggering financial impacts due to lost revenue, fines, and penalties. Bruce Schneider, security expert, defines the term “Wicked Problem” in his bestseller, Click Here to Kill Everybody. It’s not evil, just difficult or nearly impossible to solve because defining the problem and requirements are hard enough, let alone creating an effective and sustainable solution. Many healthcare organizations are employing new solutions and resources for additional support. In May of 2017, the Wannacry ransonware attack indiscriminately encrypted 230,000 systems, demanded payment, looked for the next exploitable network device, and then replicated. It infected up to 70,000 devices at the National Health Service (NHS) in England and Scotland including blood-storage refrigerators, MRI scanners, and computers. In 2018, SamSam, yet another form of ransomware was responsible for over 25% of healthcare compromises. This Trojan horse ransomware encrypted the Hancock Health and Cass Regional Electronic Medical Record systems, took down the city of Atlanta, and in 50 minutes infected LabCorp’s 7,000 applications and 1900 servers. Robert Herjavec forecasts 2019 will experience a five-fold increase in attacks on healthcare organizations

INFOGOVWORLD.COM

TY GREENHALGH through the Internet of Things (IoT), ransomware, and Insider Threats. The ECRI Institute forecasts “Remote Access” as 2019’s #1 technology and patient safety threat affecting healthcare institutions. Whether the medical devices are a random victim of malware or a hacker’s focused target, they are the perfect vector to leverage remote-access attacks, exploit IoT vulnerabilities, and monetize ransomware or, worse, impact critical patient safety within healthcare. Like laptops, IoT devices are endpoints connected to a network, often wirelessly. Medical devices are a special category of IoT, with an astounding average of 15 per hospital bed. Connected medical devices, designed for remote access (support), do not permit anti-malware on the device and therefore can be easily hacked and manipulated, often more easily than a computer. Connected medical devices simply have more vulnerabilities and fewer security controls. Hackers hunt to find IoT devices. Shodan, commonly used by hackers, is a searchable database of internetconnected devices. Every compromised IoT device can be a point of entry into the hospital network, allowing cybercriminals to monetize Protected Health Information (PHI) or Personally Identifiable Information (PII). Even worse, IoT-actuating sensors have the ability to reach out from a digital world and make changes to our physical world. Examples include altering the dosage of an infusion

pump, modifying the frequency and severity of the shocks from implantable pacemakers, and impacting the accuracy of an MRI. The Ponemon Institute surveyed 300 health systems in a 2018 study titled Medical Device Security: An Industry Under Attack and Unprepared to Defend. A staggering 44% of Healthcare Delivery Organizations (HDO) are aware that patients experienced an adverse event or harm due to an unsecured medical device, while 40% had malicious software installed on the device and 38% admitted to inappropriate treatment as a result. The study found 80% of HDO’s reported medical devices are extremely difficult to secure, but despite these figures, only 15% of HDOs are taking significant steps to prevent attacks on medical devices. Healthcare cybersecurity leads all other industries, but in the bad way. The healthcare industry, per patient record, commands the highest resale (#1 target), the highest organizational breach cost, the worst overall malware detection and containment timeframes, and ranks first in lost clients due to a breach, but yet invests the least in cybersecurity as a percentage of IT budget. Before medical devices can be marketed to HDOs, the Food and Drug Administration (FDA) is required to approve submissions. In 2018, the FDA provided significant leadership through cybersecurity risk management requirements for manufacturer’s connected medical device approval submissions. However, the Inspector General’s September 2018 Report states the FDA needs to take additional steps to more fully integrate cybersecurity into its connected medical device review process. To date, solutions have focused on manufacturers designing cybersecurity into the device, a Software Bill of Materials (SBoM) providing device content and coordinated industry-wide sharing of known vulnerabilities. These efforts do not address the expected long lifecycle of existing medical devices and the threats they currently pose to patient safety. In 2017, Congress mandated the Healthcare Industry Cybersecurity (HCIC) Task Force to conduct a healthcare industry Cybersecurity Risk Assessment. The report findings concluded the healthcare industry is in critical condition. The Task Force defined six Imperatives that need to be addressed immediately, two of which were Information Governance and Medical Device Security. HCIC’s Information Governance Imperative specifies identifying, valuing, and managing assets and risks, which include medical devices and their PHI. These should be achieved through establishing controls, processes and procedures, creating incident response plans, and sharing information. Health and Human Services (HHS) suggests using the NIST Cybersecurity Framework (CSF), a risk management tool, in conjunction with the HIPAA Crosswalk, to improve abysmal HIPAA Privacy and Security compliance. Organizations like the Health Information Sharing Analysis Center (H-ISAC) are challenged to manage known vulnerabilities through a complex ecosystem of coordinated disclosure, discovery, patching, distribution, and deployment.

8 of 10 Information Governance Programs fail to meet their stated business objectives.

INFORMATION GOVERNANCE | HEALTH The Medical Device Security Imperative specifically calls out HDOs, manufacturers, and service organizations to address several vulnerabilities. Action items focus on securing legacy systems, upgrading and patching processes, strengthening authentication, implementing superior network segmentation strategies, and mandating an SBoM detailing components within a device. HDOs attempting to pinpoint legacy systems and security weaknesses must first establish an accurate and detailed inventory. Most inventories are conducted manually, are time consuming, and are highly inaccurate. Standard network security tools cannot properly assess medical devices nor provide details like classification, model, Operating System, IP/MAC fields, configuration, serial numbers, known vulnerabilities, how it sits on the network, and whether it stores PHI. Per the HIPAA Security Rule covered entities (CE) and business associates (BA) are required to make reasonable efforts in securing the PHI that is created, used, disclosed, transmitted, or stored. Most HDOs are at financial risk of HIPAA fines because they cannot produce an accurate device list, much less the device location, its risk level, what PHI is on each device, and which devices are missing. HHS convened over 150 cyber and healthcare experts from the government and the industry to deliver creative and practical voluntary best practices to address medical device cybersecurity. In December 2018, this Healthcare and Public Health Sector Critical Infrastructure Security Resilience Public-Private Partnership released the fourvolume publication providing guidance for the HCIC Report Imperatives. Medical device security remains a “Top 5 Threat” according to this HHS lead publication. HDOs have recently turned to sophisticated security software architects in hopes of tackling this “Wicked Problem.” These advanced solutions offer several benefits. The first benefit is an automated detailed device inventory, in which devices are discovered and grouped based on information gathered from network behavior and device communication traffic patterns allowing for increased security intelligence. These solutions are generally hyper-focused on medical devices and layered within a broader existing security framework, leveraging existing perimeter security investments and reducing costs. This medical device security software can provide an additional level of visibility and control, but integration with the existing IT systems internal and external networks can result in unique and challenging configurations. Another benefit supports the HCIC report’s #1 action item for medical device security, implementing operationally personalized network segmentation. But manually provisioning a network security policy for each device protracts implementation and increases costs to a point of project failure. Intuitively, these tools leverage inventory, behavior, and risk profile information in order to automate security design and policy enforcement, which significantly reduce the time and expense associated with micro-segmentation. 16

INFOGOVWORLD.COM

The real Ty assists in navigating sophistication occurs rough waters. when all of these manically complex features are combined. The system discovers the entire inventory of medical devices, leverages the device details, integrates known and active vulnerabilities, detects network intrusion activity, and determines anomalous device behavior, simultaneously. All of this previously unavailable and unrelated information is correlated by the most advanced solutions in real time, prioritizing device risk and escalating alerts. Where to begin a device security plan: • Create a Medical Device and IoT Security Plan • Form a multi-stakeholder team by establishing roles and responsibilities • Review policies and procedures to include Supply Chain Risk Management • Maintain good cyber hygiene and monitoring • Conduct an asset inventory (using new automated tools) • Prioritize devices based on the business mission • Access devices, remediate risks, and harden • Correlate the device risk assessment findings with a HIPAA risk assessment • Establish effective Governance • Prepare a detailed response plan to contain and eradicate • Design recovery strategies that leverage forensics and insure resiliency Patient safety, financial loss, and new laws holding executives personally responsible are increasing cybersecurity investment at the board level. The Office of Civil Rights (OCR) continues its stringent enforcement of HIPAA violations, looking back six years when any violation is reported. Increased penalties are the trend, where courts will award damages for potential future harm resulting from yesterday’s breach of PHI. Lost future business, legal costs, and downtime are also financially devastating. These losses, due to confidentiality failures, will pale in comparison to the additional penalties resulting from cyberattacks impacting device availability or integrity that result in adverse patient outcomes. These risks will not magically disappear. The extent they are reduced will be a result of deliberate integrated multistakeholder participation. Therefore, progressive HDOs are increasing collaboration, implementing a device security plan, exploring leading-edge solutions, and leveraging additional resources in an effort to solve a “Wicked Problem.” TY GREENHALGH IS A MANAGING MEMBER OF CYBER TYGR. HE HAS 30 YEARS OF HEALTHCARE TECHNOLOGY AND INFORMATION MANAGEMENT EXPERIENCE. HE IS A CONTRIBUTING MEMBER OF THE HEALTH AND PUBLIC HEALTH COORDINATING COUNSEL AND NCHICA BIOMEDICAL TASKFORCE AND CAN BE REACHED AT TY@CYBERTYGR.COM.

News

APPLE POISED TO LEAD WEARABLES MARKET In recent months there has been much talk about declining iPhone sales. While the reasons for this are debatable, not in dispute is the number of iPhones in use today. Although Apple has stopped reporting iPhone sales numbers, there are over one billion iPhones in use worldwide. 1 By all accounts, this is a staggering number. Equally staggering is the amount of data these iPhones use, control, and manage as people live their digital lives. Given the U.S.’s push to reform its electronic information infrastructure for the use of electronic health records (EHRs), Apple is poised to strengthen its wearables marketshare. As a leading tech company, Apple has a rare opportunity to shape public policy about the use of electronic information. One of the things that led to Apple’s saturation of the smartphone market was its development of an app ecosystem that is exclusive to the Apple platform.2 Today, the Apple App store is one of the most successful software stores in the history of software stores––success fed in part by the data protection security Apple offers as part of using its App Store. Alongside new iPhone releases, Apple has introduced the iWatch, a companion (in a literal sense) to the iPhone. This is not a passive relationship. Biometric sensors in the iWatch relay and share personal data such as heart rate with iPhones. This is an example of what could go into an EHR. When combined with other data and the App Store’s attention to cybersecurity, EHRs realize their true potential as a tool for health and illness prevention. Early data and research indicated that 90% of patients saw the health benefits of using Apple Health Records (AHR) to manage their health.3 Apple approaches the health wearable market from meaningful patient-controlled interoperability. The App Store introduces security into any app developed that will use health data within Apple’s ecosystem. AHR is Apple’s “official” platform for utilizing EHRs. This represents a chain of records integrity that ensures patient privacy. The key to this working is the utilization of EHRs in such a way that is natural to the user. —Mark Driskill 1 Bernd van der Wielen (2017, June 29). Celebrating 10 Years of iPhones: 63% of all iPhones Ever Sold Are Still in Use – 728 million. Newzoo. https:// newzoo.com/insights/articles/63-percent-of-all-iphones-ever-sold-still-in-use/ 2 Jessica Davis. (2018, June 29). Patient Records Crucial to Apple Health Strategy, Study Finds. https://ehrintelligence.com/news/patient-records-crucialto-apple-health-strategy-study-finds 3 Kyle Murphy. (2019, January 14). Early Data Shows High Patient Satisfaction With Apple’s PHR. https://ehrintelligence.com/news/early-data-shows-highpatient-satisfaction-with-apples-phr

Lack of Information Governance training is the leading cause of IG Program failure.

INFORMATION GOVERNANCE | HEALTH

EHR Inter-Operability Challenges Protecting Wearable Device Bio-medical Data

iven Apple’s expansion into the bio-medical wearables market, data protection in healthcare becomes a formidable task, particularly because these wearables produce a staggering amount of data. Apple’s wearable footprint has the benefit of being coupled with basic security measures already in place [i.e., the App Store’s app development guidelines and Apple Health Records (AHRs)]. While this structure is not a failsafe, it nonetheless represents a starting point in delivering patient data protection patients that trust. Building on this trust, healthcare systems must tie patient portal logins to this trust relationship. Information governance (IG) frameworks help in the development of this trust relationship. Datawatch identified 11 ways to master healthcare data.1 Datawatch’s strategic insights can be measured against other sets of strategic insights, which then become operationalized in an IG framework. All 11 ways identified by Datawatch have been developed with data protection, privacy, and interoperability as primary functions. Datawatch’s insights contribute to quality control and improvement. Quality Improvement (QI) “in the context of healthcare, is a systematic approach for ensuring consistent and safe patient outcomes. This approach includes a process for analyzing and using data to plan corrective action steps.”2 Using insights such as those identified by Datawatch, QI takes on the added protection offered by lifecycle management thinking. For example, humandevice interaction in terms of accessing patient records via smartphone-base patient portals is a product of a data audit. This type of audit systematically identifies all data that encounters the system. This includes the use of this data and how it flows through the organization. If the healthcare information system uses QI to improve the quality and access of this information, security must, as a rule, be part of the system. —Staff 1. Datawatch. (2018). 11 Ways to Master your Healthcare Data with Datawatch. http://www.datawatch.com/wp-content/uploads/2018/11/11-waysto-master-your-healthcare-data.pdf 2. MedPro Group. (2017). Patient Safety and Risk Solution. https:// www.medpro.com/documents/10502/2837997/Guideline_ Using+an+EHR+as+a+Quality+Improvement+Tool.pdf

INFOGOVWORLD.COM

he Senate Committee on Veterans’ Affairs recently raised alarm bells regarding the nation’s push to modernize the use of electronic health records (EHRs). The VA ran its own healthcare infrastructure as a function of the Department of Veterans Affairs. Meanwhile, the health IT infrastructure through which the rest of the federal government operated is separate and distinct from the VA. This causes issues of interoperability as the federal government attempts to merge the two health infrastructures. The Committee sent a letter to new VA CIO James Gfrerer urging him to not let the merge fail. The committee is concerned that the EHR Modernization project will leave the VA behind. Past efforts to merge the two systems have failed, in part because project management structures came from two unique bureaucratic institutions within the federal government: The Office of the Electronic Health Record Management (OEHRM) and The Office of Information and Technology (OI&T). Compounding the problem are two distinct systems. The VA uses VistA, while the DoD uses MHS Genesis.

Ranking Committee Democrat Senator Jon Tester warned in the letter to CIO Gfrerer that “EHR modernization cannot be allowed to fail.” This means that interoperability, even as facilities switch over through the modernization project, must be maintained at all stages of implementation: “OI&T must also go beyond simply maintaining its current EHR system, VistA, and continue important development projects that allow VA medical centers to continue serving veterans without any adverse impacts.”The use of EHRs only reach maximum efficiency if the underlying health IT infrastructure is the same across the entire government footprint. —Staff

“

The United States has the most expensive healthcare in the world”

The Healthcare IG( B OImperative OK EXCERPT) Medical mistakes kill over 250,000 people each year in the U.S.

t is the third leading cause of death overall, behind heart disease and cancer, according to a study by doctors at Johns Hopkins. These numbers are certainly low, since they do not include deaths at nursing homes, surgery centers, and in-home care settings. The United States has the most expensive healthcare in the world: the most advanced equipment, the most advanced medicines, the best-trained doctors—yet in a recent study of healthcare quality the U.S. came in dead last out of 11 civilized nations. The U.K., Switzerland and Sweden topped the list. The U.S. healthcare problem is not due to poor training, inferior equipment, inferior medicines, or lack of financial resources. No, the problem is likely primarily a failure to get the right information to the right people at the right time; that is, caregivers must have accurate, current clinical information to do their jobs properly. This is an information governance (IG) issue that has life or death consequences. It can be fixed, but healthcare professionals must gain the necessary education and tools, collaborate with experts and each other, and gain executive management support for IG programs. Across the pond, the issues facing the United Kingdom’s government-funded National Health Service (NHS) are somewhat different, where IG has been an area of focus to ensure data quality and protect patient data for more than fifteen years. Although IG was mentioned in journals and scholarly articles decades ago, the UK is arguably the home of healthcare IG, and perhaps the IG discipline. Could this be the reason the UK’s leads the world in healthcare quality? Certainly, it must be a major contributing factor. Since 2002 each UK healthcare organization has been tasked with completing the IG Toolkit, managed by NHS Digital for the UK Department of Health. Although the IG Toolkit has evolved over the years its core has remained constant. However, in April 2018 it was replaced with a new tool, the Data Security and Protection Toolkit, based around 10 National Data Security Standards that have been formulated by the UK’s National Data Guardian. —Robert Smallwood

We can help. We are the world’s leading provider of IG training. Our instructors leverage best practices, metrics and real world experience to help you succeed. Call us today.

Call us at: 1.888.325.5914 or visit us at IGTraining.com

INFORMATION GOVERNANCE

BEST PRACTICES

INFOGOVWORLD.COM

The

Trailblazer INTERVIEW WITH GEORGE SOCHA — CREATOR OF THE IG REFERENCE MODEL PHOTOGRAPHY BY BRIAN LAU

eorge Socha is a Managing Director in BDO’s Forensic Technology Services practice. Named an “E-Discovery Trailblazer” by The American Lawyer, he assists corporate, law firm, and government clients with all facets of electronic discovery, including information governance, as an expert witness and consultant. George has served clients in a variety of industries including pharmaceutical, energy, retail, banking and technology, among others. As a renowned industry thought leader, Mr. Socha has authored more than 50 articles and spoken at more than 300 engagements across the world on a variety of e-discovery topics. His extensive knowledge has also been utilized more than 20 times to provide expert testimony. Co-founder of the Electronic Discovery Reference Model (EDRM), a framework that outlines the standards for the recovery and discovery of digital data, and the Information Governance Reference Model (IGRM), a similar framework specific to IG, George is skilled at developing and implementing electronic discovery strategies and managing electronic discovery processes.

George Socha is a Managing Director in BDO’s Forensic Technology Services practice.

Where did you grow up? Go to school? I grew up on a non-working farm in rural Wisconsin, just East of Madison. My brothers and I were able to romp in more than a hundred of acres of woods, streams, and ponds and tinker to our hearts’ delight.

I had the good fortune to go to a small private high school, Wayland Academy, where I got my introduction to computers. Then, I was on to the University of Wisconsin–Madison for a solid liberal arts education; finally, after a stint as a Peace Corps volunteer, I attended Cornell Law School, where I had the chance to immerse myself in the legal aid clinic. When did you first develop an interest in the law? What attracted you? Although I majored in political science and took some classes about law as an undergraduate, it was only after I returned from the Peace Corps that I gave any serious thought to law school. This may sound odd, but at the time, for me it was almost a coin toss between law school and an advanced degree in intaernational agricultural economics. To this day, I can’t really say why the former won out. How and when did you get involved in the e-discovery side of the law business? Circumstances pushed me into e-discovery. Although I took computer programming classes in high school and spent much of my free time during those years writing code, I had nothing further to do with computers until I returned from West Africa in 1983. My middle brother was writing a book about the relatively new IBM PC; I looked at the machine, and realized the world had changed while I was gone. As I was applying INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | BEST PRACTICES to law school, I wrote an inventory management system for my father’s business; and in my second and third years of law school built a matter management system for the Cornell Legal Aid Clinic (yes, a small cadre of us were using PCs at that clinic in the 1980s). Arriving at my first firm out of law school, I soon decided I could be more efficient using an Apple Macintosh than a Dictaphone. That ultimately led to the firm assigning me both oversight responsibility for IT operations as well as the responsibility of building out our litigation support and eventually e-discovery capabilities in the late 1980s and early 1990s.

The idea for Little Free Libraries began in western Wisconsin. Each participant builds their own library and shares their books with the community. George built his with a Dr. Seuss motif. There are now over 75,000 Little Free Libraries in 88 countries.

What hobby or special skill do you have that might surprise your colleagues?

“

No surprise to many who know me, I think, is the pizza oven I built in our backyard about a decade ago and what I cook in it. And a great pleasure for me is seeing our children, young adults now, demonstrate cooking skills beyond anything I have been able to master.”

What major trends do you see influencing e-discovery now, and over the next 5 years? The primary driver has to be the need to go into electronically stored information (ESI) to understand what happened in the lawsuits and investigations we all work on. The volume, variety, complexity, and richness of that data provides both great opportunities and huge frustrations. Continuing to wrestle with and take advantage of that rich complexity will keep pushing e-discovery for some time to come. How do you see e-discovery fitting in to the overall Information Governance discipline? There are pushes and pulls in both directions. Better Information Governance—getting your electronic house in order, so to speak—can lead to more efficient and effective as well as less costly e-discovery. Insights learned during e-discovery, macro and micro, can enhance an organization’s ability to better govern its data. At the macro level, one can learn much about, for example, the extent written policies and practices line up with actual ones and as a result improve and redirect an organization’s overall approach to IG. At a macro level, one can draw on in-the-trenches e-discovery experience to, for example, amend email retention schedules. You were a co-founder of EDRM.net and co-author of the E-discovery Reference Model and IG Reference Model. How and why were these models developed? Why do you believe they have endured? In 2005, Tom Gelbmann and I pulled together about 35 people to develop a model to address two seemingly simple questions: what is e-discovery at a practical level and what are the basic steps one should consider taking with respect to e-discovery? What we thought would be a straightforward one-year project obviously has grown to something much larger. We think it caught on because it filled a void and stuck because it was soundly grounded in people’s and organizations’ actual experiences and practices. The Information Governance Reference Model was an outgrowth of the EDRM framework that our members wanted to see developed to fill yet another void, and has been of value for the same basic reasons that the EDRM diagram has endured. How would you compare working as an attorney specializing in e-discovery issues versus providing advice to clients in your role at BDO? Sometimes, they are one and the same. At BDO, I continue to do much of the same work I did during my 13 years as a solo consultant, which in some ways was not that different from e-discovery I did for a decade before that as a practicing attorney. Two major differences are that I have resources, bench

INFOGOVWORLD.COM

Electronic Discovery Reference Model

INFORMATION GOVERNANCE

PO LIC Y

Getting your electronic house in order to mitigate risk & expenses should e-discovery become an issue, from initial creation of ESI (electronically stored information) through its final disposition. GOVERNANCE UNIFIED

PROCESSING

BUSINESS Profit

Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review & analysis.

ION RAT TEG IN

DUTY

VALUE Create, Use Retain Archive

ASSET Store, Secure

RENC

Hold, Discover

PRESERVATION PRIVACY & SECURITY Risk

IDENTIFICATION Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.

SPA

Dispose

LEGAL Risk

Standards, Guidelines and Practical Resources for Legal Professionals and E-Discovery Practitioners

RIM Risk

C PRO

IT Efficiency

Ensuring that ESI is protected against inappropriate alteration or destruction.

PRESENTATION REVIEW Evaluating ESI for revelance & privilege.

COLLECTION Gathering ESI for further use in the e-discovery process (processing, review, etc.).

Displaying ESI before audiences (at dispositions, hearings, trials, etc.). especially in native & near native forms, to elicit further information, validate existing facts or positions, or persuade an audience.

PRODUCTION Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.

ANALYSIS Evaluating ESI for content & context, including key patterns, topics, people & discussion.

Source: EDRM.net

VOLUME

RELEVANCE

strength, and bandwidth available to me now that I could not begin to approach when I was on my own, and I have great set of colleagues to work with, ones who I am glad to say have skills and expertise in a wide range of disciplines that, again, I never would have been able to offer on my own. The clients I work with at BDO are similar to, sometimes the same as, the ones I worked with when I was on my own. They continue to have complex challenges that need addressing: the type I like the best. And as before they cover the spectrum from e-discovery neophytes to people with years of experience handing the most complex of issues.

As you note, IG has had a slow awakening in the U.S., but it is waking up. From my vantage point, it seems the two key drivers are concerns about data privacy and concerns about data security.

How has the role of privacy increased in e-discovery preparedness and litigation? The role of privacy in e-discovery and litigation generally has changed enormously in a short period of time. Not that many years ago, privacy with respect to e-discovery meant little more than taking what now seem naively simple steps to avoid having a litigant’s data spill out into the public because; for example, a data production got shipped to the wrong address. Today, handling sensitive information appropriately, especially personally identifiable information, has become a much more serious business and rightly so.

What do you like most about the Twin Cities? What is your favorite lunch spot? What do I like best about the Twin Cities? Our circle of friends and then ready access to the outdoors and the arts. And my favorite lunch stop? Our own kitchen—perhaps a potato leek soup prepared from vegetables from the CSA we have been part of for over 20 years.

What impact have you seen the EU GDPR legislation making on U.S. clients? The GDPR has sharpened the focus on privacy issues as nothing before. It has been a major driver of privacy initiatives in organizations large and small, international and domestic, and as a result renewed interest in Information Governance more generally.

What is your favorite dish to eat during cold winters? There are so many choices! Perhaps that potato leek soup? Or maybe the cassoulet we have being discussing preparing. It only takes three days to make! —Robert Smallwood

IG has had a rather slow awakening in the United States. Do you see that changing? What forces or influences are impacting that shift?

What hobby or special skill do you have that might surprise your colleagues? No surprise to many who know me, I think, is the pizza oven I built in our backyard about a decade ago and what I cook in it. And a great pleasure for me is seeing our children, young adults now, demonstrate cooking skills beyond anything I have been able to master.

What is your favorite sports team? Honestly, I don’t follow sports teams at all, so I don’t have an answer to this one.

GEORGE SOCHA IS A MANAGING DIRECTOR IN BDO’S FORENSIC TECHNOLOGY SERVICES PRACTICE. NAMED AN “E-DISCOVERY TRAILBLAZER” BY THE AMERICAN LAWYER, HE ASSISTS CORPORATE, LAW FIRM, AND GOVERNMENT CLIENTS WITH ALL FACETS OF ELECTRONIC DISCOVERY, INCLUDING INFORMATION GOVERNANCE, AS AN EXPERT WITNESS AND CONSULTANT. HE CAN BE REACHED AT GSOCHA@BDO.COM

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | BEST PRACTICES

Tool Time

IG ASSESSMENT MODELS: USE THE RIGHT TOOL FOR THE JOB

NOTE Part of this article was excerpted with permission from Robert Smallwood’s Information Governance for Healthcare Professionals (HIMSS/ CRC Press 2018).

INFOGOVWORLD.COM

rganizations are ramping up IG programs in today’s risk and regulatory environment that increasingly emphasize the need to reduce information risks and costs, while maximizing information value. The first principle from The Sedona Conference’s® Commentary on Information Governance articulates this maxim:

1. Organizations should consider implementing an IG program to make coordinated decisions about information for the benefit of the overall organization that address information-related requirements and manage risks while optimizing value.

Organizations considering or reshaping IG programs may want to consider various approaches to assessing the current state of their IG processes, and the fourth principle states: 4. The strategic objectives of an organization’s IG program should be based upon a comprehensive assessment of informationrelated practices, requirements, risks, and opportunities. There are various “IG Maturity Models” available that can be leveraged in the IG effort, and they are each suited for certain business scenarios. We’ll review some leading approaches. CGOC IG PROCESS MATURITY MODEL (IGPMM) This model from the Compliance, Governance, and Oversight Council (CGOC), is a broad, encompassing, and detailed tool with a research-based focus that measures IG maturity on 22 IG-related processes. The IGPMM was developed in 2012, and updated in 2017 to include considerations for cloud computing, cybersecurity, and privacy. It is a comprehensive model based on the input of over 3,600 Legal, IT, and RIM professionals, and is applicable to all industries. The IGPMM heavily emphasizes IT, legal, privacy and security processes. IG Processes are assessed based on four defined levels of maturity. Notably, In the IGPMM, RIM constitutes only one of the 22 processes that are measured for IG program maturity, whereas there are seven IT processes, six Legal/E-discovery processes, and four for Privacy and Security. (This model may have some bias; IBM is a founding sponsor of the CGOC and certainly is positioned mostly in the IT space). This author believes that, based on industry trends and Best Practices, the importance of Privacy and Security roles in IG will continue to increase and are generally of more significance to IG programs than IT everyday processes such as System Provisioning (which is included in the CGOC model). The CGOC Model also includes a Risk Heat Map to help plan the necessary actions to take, and a Process Score Card. RECORDS MANAGEMENT PROGRAM ASSESSMENTS For the assessment of records and information management (RIM) functions within IG programs, the IG Maturity Model from ARMA International, “which is based on the Generally Accepted Recordkeeping Principles®, as well as the extant standards, best practices, and legal/regulatory requirements that surround information governance—is meant to be deployed as a quality improvement tool.” There are eight Principles in the model and assessments are made based on five levels of maturity, from Substandard

to Transformational. The Model has not been updated for a decade. HEALTHCARE IG ASSESSMENTS For healthcare specifically, the newer (and less mature) IG Adoption Model™ from AHIMA measures maturity of 10 organizational “competencies” AHIMA states these are tied directly to Merit-based Incentive Payment System (MIPS) performance categories and help organizations improve performance under the Medicare Access and CHIP Reauthorization Act (MACRA). However, the status of this model is in question, as AHIMA recently announced it is pulling back from the IG market. When looking at component IG areas, there are other maturity models to consider. For example, for analytics functions, the HIMSS Analytics Adoption Model for Analytics Maturity (AMAM); for e-health records, the HIMSS Maturity Model for Electronic Medical Record (MMEMR) and the Continuity of Care Maturity Model (CCMM) and also the Electronic Patient Record Maturity Model (EPRMM) for systems that manage all patient information. STANDARDS-BASED ASSESSMENTS It may be helpful to use certain standards to help guide IG program efforts, such ISO 31000 for risk management, ISO 27001/2 for information security, ISO 38500 for IT governance, ISO 22301 for business continuity, ISO 9000 quality guidelines for healthcare, and other standards that may be relevant to the IG program focus. IG PROGRAM PROGRESS ASSESSMENTS Once an IG program is in place, its effectiveness needs to be assessed periodically, every 12-24 months. This follows the 11th Sedona Principle: 11. An organization should periodically review and update its IG program to ensure that it continues to meet the organization’s needs as they evolve. IG program assessments can utilize several tools, and using the right tool(s) for the job is key to success. —Robert Smallwood ROBERT F. SMALLWOOD, MBA, CIP, IGP IS THE WORLD’S LEADING IG TRAINER AND AUTHOR. A THOUGHT LEADER IN IG, HE HAS PUBLISHED MANY ARTICLES AND SEVEN BOOKS ON IG TOPICS, INCLUDING THE WORLD’S FIRST IG TEXTBOOK. HE ASSISTS ORGANIZATIONS IN LAUNCHING OR RE-SHAPING IG PROGRAMS, AND DELIVERING IG TRAINING. HE CAN BE REACHED AT RS@IGTRAINING.COM

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | BEST PRACTICES

Perfect Ten W 10 KEY RECORDS MANAGEMENT SYSTEM CONSIDERATIONS BY BUD PORTER-ROTH

INFOGOVWORLD.COM

hile Information Governance (IG) is the overall framework for managing all types of corporate information, Records Management (RM) is the specific area of IG that allows you to manage and control documents according to a records policy and records retention schedule (RRS). An RRS allows you to assign retention periods to documents, data, records, and emails and to be able to archive or destroy this content when the retention period has been completed. In addition, RM software allows you to suspend or hold the retention period when documents are part of a legal action so that the documents are preserved in their original state if needed.

If you are considering implementing RM, here are 10 important considerations: 1. RM CAPABILITIES You will need a document management (DM) or electronic content management (ECM) system that includes RM capabilities. If you have an existing DM or ECM system and it does not have RM capabilities, you will need a standalone RM system. So purchase a system with RM capabilities, or possibly add an RM module onto the existing system. 2. DOCUMENT OR RECORD? Most organizational documents and information are not records. It has been stated, in many articles and conferences, that the actual number of “business records” in a company can be 1% or less. So, we are talking about picking expensive needles out of haystacks! However, some records may need to be managed under the broader IG program, so it is important to update and align your RSS to the overall IG program. 3. RSS IMPORT FUNCTION Although obvious, you need an RRS that can be imported into your DM or ECM system. Don’t expect users to manually classify a document by reviewing a separate retention schedule––for example in an Excel spreadsheet, Word document or a piece of paper. Using auto-classification is the recommended method to classify records in a DM or ECM in order to ensure retention is applied. 4. PAPER AND ELECTRONIC (HYBRID RECORDS MANAGEMENT) RM applies to both paper and electronic documents—be prepared to do both—and make sure your RM software handles both paper and electronic. Not all RM systems do both, so be sure to check. RM may also apply to other physical media such as USB drives, external SSD drives, and tapes, etc. 5. AUTO-CLASSIFICATION Using auto-classification technology tools is preferred. However, if you are going to grant users some autonomy in declaring records, users must be trained to select the right retention category for their document and do it quickly. If not, users may not do it or continue to use the one category that they know about. RM training must be available in some manner: online, in person, lunch sessions, reference documents, and be listed on your mandatory training schedule. Also, see #10 below. 6. RM CUSTODIAN Some companies have a designated RM custodian that transition documents to “declared record” status so the average office worker is not responsible. This requires that you have a RM custodian for each business unit who is a SME for both content and records categorization.

7. RECORD DECLARATION Why be so careful in “declaring a record?” Because once a document is declared a record, you may not modify or delete it until the retention period is completed. (Under certain circumstances, you may “undeclare” it, depending on the RM software, and this usually involves multiple people providing permissions to undeclare the record. Also, a System Admin may be required to make the change.) 8. RECORD DESTRUCTION As part of the initial setup, you must decide what to do with a record when it becomes due for destruction. 1. Destroy it automatically without review (see #9 below); 2. Have your RM Custodian responsible for that business unit review and approve/initiate the destruction; 3. Extend the retention time to a future date (you can keep a record longer, but not less than the scheduled time). 9. RECORDS HOLDS You will have to incorporate holds into the records management program and software. Holds can be a complex undertaking and may require the legal department to participate, as well as the business units and the software system admins. It also means that the RM software must have this function. 1. Legal holds apply to all related documents, whether they are a record or not; 2. Legal holds suspend the retention activities for all documents (paper or electronic, record or non-record) until removed from legal hold; 3. Legal holds must be noted in the RM system to prevent auto-deletion (if used) and to search for those documents. A field with the legal hold number is typically used; 4. Paper documents may need to be collected and set aside or somehow restricted from being deleted or changed; 5. Someone, in the applicable business unit, needs to apply the legal hold to the specified documents (which could be many and include both paper and electronic); 6. Someone, in the applicable business unit, needs to remove the legal hold when it is rescinded so documents can resume their normal retention schedule; 7. You should read up on the concept of legal holds if you are not familiar with them. A good resource is 7 Steps for Legal Holds by John J. Isaza and John J. Jablonski. 10. RETENTION SCHEDULES CHANGE Retention schedules are not cast in concrete! They will change as your business changes and be updated as new legislation is introduced. In conclusion, RM just like IG is a journey, not a destination. BUD PORTER-ROTH HAS BEEN AN INDEPENDENT CONSULTANT FOR 20 YEARS AND IS FOUNDER AND PRINCIPAL CONSULTANT FOR PORTER-ROTH ASSOCIATES (PRA), WHICH PROVIDES A BROAD RANGE OF CONSULTING SERVICES TO USERS AND VENDORS OF ECM TECHNOLOGIES. HE IS A FREQUENT SPEAKER AND WRITER AND CAN BE REACHED AT BUDPR@ERMS.COM

INFORMATION GOVERNANCE WORLD

INFORMATION PRIVACY

PLAYING WITH OUR EMOTIONS

acebook is not only an unmitigated cesspool of data privacy failures, but for a time, the tech giant meddled a bit in the emotional manipulation of its users. A report, which first aired on NPR in 2012, outlined what appeared to be an attempt by Facebook scientists to manipulate more than 600,000 users’ newsfeed. In true experimental fashion, they went with an A/B split test, with some users getting positive items, while others received negative ones. Unsurprisingly, a trend emerged: people who received negative news were more negative; people who received more positive news were more positive. The New Scientist reported: “The research means ‘emotional contagion’ can happen online, not just face to face.” It went on to add: “The effect was significant, though modest. Ke Xu of Beihang University in Beijing has studied emotional contagion on Chinese social networks. He says [Facebook’s Adam] Kramer’s work shows that we don’t need to interact in person to influence someone’s feelings.”If this

INFOGOVWORLD.COM

comes as surprise, then you haven’t been paying attention. We have enumerated Facebook’s data privacy sins ad nauseam, and this is just another personal intrusion that is very much in line with Facebook’s expectations of how they treat users. Interestingly, this kind of experiment is likely allowed under Facebook’s Terms of Service, as reported by The Verge. The Verge reports: “When users sign up for Facebook, they agree that their information may be used ‘for internal operations, including troubleshooting, data analysis, testing, research, and service improvement.’ While there’s nothing in the policy about altering products like the newsfeed, it’s unlikely Facebook stepped outside the bounds of the Terms of Use in conducting the experiment. Still, for users confused by the whims of the News Feed, the experiment stands as a reminder: there may be more than just metrics determining which posts make it onto your feed.” Are we really surprised by what Facebook does with our data anymore? —Staff

PROTECT AND SERVE? IS THE ROLE OF DPO MISUNDERSTOOD?

W “

There is a new officer in town, an electronic privacy officer who stands guard against the misuse and abuse of electronic personal data”

ith minimal fanfare—but great impact—GDPR took effect last May. There is a new officer in town, an electronic privacy officer who stands guard against the misuse and abuse of electronic personal data that originates in the European Union (EU), or is owned by an EU citizen, anywhere in the world. This is the Data Protection Officer (DPO), a new GDPR-mandated officer who epitomizes person-centered electronic privacy rights. More to the point, the DPO manages those, “Core activities… that are ‘inextricable’ to the company’s primary functions.”1 The EU’s GDPR revolutionizes how both public and private businesses, and other organizations, manage personally identifiable information (PII) in the course of business operations. Under the new regulations, all businesses headquartered and run inside the EU must have a designated DPO. As the new officer in town, the DPO ensures organizations and businesses that utilize PII do so from a person-centered privacy perspective. Certainly, this adds compliance costs, which private companies deplore and resist.

While this is straightforward within the EU’s member states, confusion can arise when trying to determine under what circumstances non-EU businesses and organizations must have a DPO. To begin, it is not the size or the number of

company employees that determines the need for a DPO. It is the volume of PII they handle. Typically, a small business outside the EU will not need a DPO unless it processes PII as a core activity and its volumes are substantial. At its core, the DPO is a compliance officer who should differentiate between core business functions and those that are supportive of the business functions. Businesses operate according to strict functional requirements, in part because of records management requirements––which the DPO ensures the company functions according to Privacy by Design and by default. Stated differently, the DPO ensures the company complies with person-centered electronic privacy mandates. Much like a records manager, the DPO needs “significant experience in both IT and risk management.” To be successful, the DPO must work to ensure that the company has a culture of compliance. Additionally, DPOs must have “knowledge of how GDPR regulations and all applicable national data protection law apply to the organization’s data processing practices; significant experience with IT security audits and threat assessment; and strong communication skills across a variety of organizational positions and departments.” DPOs must be independent and autonomous, have emotional intelligence, and be answerable only to the highest executivelevel management structure. This is a crucial aspect of accountability and the audit process that has the potential to identify hidden violations that could lead to substantial fines. The DPO is also the primary communicator between IT and the executive level, as well as the chief responder to breaches and other public reflections of cybercrime. If any of this sounds familiar, it should. EU lawmakers who debated and composed the landmark GDPR likely did so with records managers and frameworks like the Generally Accepted Recordkeeping Principles® (Accountability, Transparency, Integrity, Protection, Compliance, Availability, Retention, and Disposition) in mind. This has substantial ramifications for modern businesses that have embraced an IG strategy. In today’s regulatory environment, RIM professionals might just be tailor-made to take on the mantle of a DPO—as they have many of the same professional requirements. —Mark Driskill INFORMATION GOVERNANCE WORLD

INFORMATION PRIVACY

BATTLE OF THE DEVICES FACEBOOK PORTAL TAKES ON GOOGLE HOME AND AMAZON’S ALEXA

The world has changed, but privacy concerns linger, especially now that we have more and more devices to monitor how we interact. Portal, Facebook’s foray into the home messaging portal space, offers a new, shiny option. Let’s take a look at the top three products and see which one emerges as the winner of the battle royale.

PORTAL (Facebook)

Summary: Portal is a recently launched Facebook smart display. There are two options, the 10.1-inch Portal and the 15.6-inch Portal Plus. They both offer video chat by way of Facebook Messenger. The auto-zoom feature allows the smart camera to follow people around the room. Pros: • Track people as they move around the room • Integration with Alexa • It has a wide field of vision • Quality sound 30

INFOGOVWORLD.COM

Cons: • Limited functionality • Only uses Facebook Messenger • Captures data based on length and frequency of video calls

HOME (Google) ALEXA (Amazon)

Summary: Google Home might be the most robust of the smart displays, with a voice-activated speaker powered by Google Assistant. You can ask Google, manage tasks, and control devices around your home that are smart-compatible.

Pros: • New video and touchscreen controls • Simple to use • Great sound • Video conferencing is easy Cons: • Dated design • Low-resolution screen (when used with Echo Show) • Expensive relative to other alternatives

Pros: • Great at answering questions • Able to cast videos and audio onto your TV and other devices • Can differentiate between voices. • Supports Google Play and YouTube • Better than average sound quality Cons: • Some features are not available in all regions • Less available skills than other comparable devices • Lag in third-party support • Can’t read or send messages; can only list calendar items • Relatively costly • No intercom feature and doesn’t listen well over distances

Summary: Alexa has become a bit of a household name. First developed as a virtual assistant by Amazon and used in the Echo and Echo Dot, it remains a strong device in the space.

SO WHO WINS? Unfortunately, it isn’t that simple. The calculus of cost, convenience, and the amount of privacy you are willing to give up drives the utility of a particular device. If you’re not Facebook averse, then the Portal might be for you. If you want something simple, then Alexa is your best bet. If functionality is coveted above all, then

Google Home might be perfect for you home. But all three are capable of monitoring your everyday activities, and of being hacked. Do you really want your private conversations at home monitored— and video of you in your underwear (or less!) able to be captured by a third party without your knowledge? The choice is up to you. —Dan O’Brien INFORMATION GOVERNANCE WORLD

INFORMATION PRIVACY

LOOKING BACK TO SEE THE WAY FORWARD 2018

is going to be remembered for a lot of reasons, many of which are not particularly positive. Perhaps the most germane to what we care about here at InfoGov World is that 2018 marked the year when data privacy became not only a buzzword, but a public reality. Even if you weren’t someone who followed data privacy closely (though if you are a reader of the magazine, we imagine you might be), the seemingly nonstop slew of high-profile breaches barely made a blip. Until, that is, we learned something we might have always known: Facebook was lying. Zuckerberg’s very public (and very awkward) public testimony before a U.S. congressional committee and U.K. Parliament revealed two things: one, most politicians don’t really understand how the Internet works; and two, that the data privacy

INFOGOVWORLD.COM

discussion was far from over. GDPR and the Cambridge Analytica scandal would further bring the public lens onto the data privacy community, but there were many, many more privacy breaches in 2018. If you used the Internet at any point last year, then you no doubt experienced the deluge of website messages talking about privacy policies. This was because GDPR went live in May, although it was passed in 2016, providing more than enough time for the tech world to prepare. Consent wasn’t only about the #MeToo movement; it also pertained as well to the collection and use of personal data in the data privacy sector. It will be a long time before Silicon Valley can wipe away the stain of Cambridge Analytica. Public trust in the tech sector took a real hit in 2018, and their ears are still ringing. Facebook stock plummeted from a high of about $215

in late July to $124 in late December, a more than 40% loss in market value, although it rebounded slightly in January. Facebook’s data misuse and foolishness in regard to screening thirdparty developers finally are having an impact. Given the relationship of their poor data privacy behavior and potential connections to ethical concerns, the market is punishing Facebook for putting millions of people’s PII and other sensitive data at risk. Stay tuned— Google and Amazon may be next. However, it wasn’t just the tech giants who had data privacy problems. Data breaches were abound at some of the top global companies, including the likes of Under Armour, Marriott, and Quora. The takeaway was simple: companies were still treating data privacy like something that could be sloppily approached. The public outcry was not quite as pronounced as with

Facebook’s multiple faux pas (at least 21 breaches in 2018), but it was no less impactful. All told, hundreds of millions—no billions—of people were affected by data breaches in 2018. The most groundbreaking privacy event of 2018 was the conversation sparked by GDPR going into effect. Its formal launch last May signaled a sea change in data privacy. Many companies felt the pressure to comply, and others were concerned about its impact on business

“

Data is King in the Digital Age, and the privacy of that data was central to the conversation in 2018.” in general. In the end, it proved to change the regulatory landscape for the better. Looking forward in 2019, data privacy regulations and conversations haven’t shown any sign of slowing down. If anything, last year proved to be a high-water mark that most in the industry saw for what it was: a time to change the way things are done. GDPR has proven to be what other nations needed in order to take another look at their data privacy laws and regulations. For example, California (the seventh-largest economy in the world) passed the California Consumer Privacy Act (CCPA). It will be in effect the first of the year in 2020, in order to protect consumers’ personal data. Clearly, things have changed. What’s next? The push toward Chief Privacy Officers (CPOs), CISOs and CIOs in organizations for the implementation of data privacy policies will no doubt be on the rise given 2018’s climate. After all, privacy is all about data protection, and that responsibility typically falls on the CPO, CISO or CIO within an organization. Data is King in the Digital Age, and the privacy of that data was central to the conversation in 2018. It would make sense then that 2019 would see a noholds-barred match between the aptly termed “Data Industrial Complex” and privacy regulations. Stay tuned, sports fans. Given the need for data privacy across the board, expect privacy automation to continue to emerge as a major new market. Relying on outdated manual processes is part of what got companies into trouble in 2018; this will no doubt change in the new year. Regardless of our prophecy powers, data privacy is continuing to grow. We will be here to make sure you understand what is happening in that part of the digital world. —Staff

A TIMELINE OF DATA PRIVACY FAILS

acebook’s data privacy fails are increasingly well documented in the public eye. And even if some of those fails haven’t grabbed the headlines like the Cambridge Analytica scandal, the tech giant certainly understands the implications. Ongoing conversations about privacy and user data have reached beyond the technology community; public opinion and congressional interest are on the rise. 2018 hasn’t been kind to The Social Network. Let’s talk a little about the timeline of their foibles. January, and the New Year, started out with a proclamation by Zuckerberg to “fix Facebook’s issues.” By February, a German court found that Facebook failed to ask users if they wanted their data collected; not long after, a Belgian court ruled that Facebook broke privacy laws through their tracking of people using third-party applications. March proved to be the high-water mark thus far, with the Cambridge Analytic scandal breaking and opening up the dam of data privacy issues faced by tech giants. Less than a week after the story broke, the FTC opened an investigation into Facebook. Unsurprisingly, Facebook’s stock position was in freefall. In an attempt to appear in cooperation with the investigation, Facebook revealed that almost 90 million people were affected by the improper sharing with Cambridge Analytica. This led to Zuckerberg testifying before Congress on April 10th. By the end of the month, the scandals saw its first tech ouster, with Jan Koum, WhatsApp co-founder, leaving Facebook because of Facebook’s data privacy concerns. By the end of May, EU lawmakers joined in. June proved to be another faux pas, as Facebook revealed that the posts of more than 14 million users were exposed publicly because of software issues. July 26th marked a high point in Facebook’s stock position, then it plummeting after that and lost about 40% of its value. September saw Instagram’s founders abandoning ship as well. Not to mention that on September 28th, Facebook would announce that 50 million accounts were taken over because of a security flaw. The November 14th New York Times article outlined, in an extensive article, Facebook’s efforts to “delay, deny, and deflect” questions about election interference. 2019 may not be any better, as Facebook, and especially Zuckerberg, is under the microscope. We know that Facebook is monitoring and watching us as we use their platform, but the optics have certainly changed for the social media giant. —Staff INFORMATION GOVERNANCE WORLD

INFORMATION PRIVACY © 2018 Osterman Research, Inc. All rights reserved. NOTE: This is an excerpt from the Osterman Research white paper Best Practices for GDPR and CCPA Compliance. The entire White Paper can be downloaded at https://dm-mailinglist.com/subscribe?f=cb29b884.

THE GDPR AND THE CCPA BY MICHAEL OSTERMAN

ew data protection regulations, such as the GDPR and the California Consumer Privacy Act (CCPA), lay out the legal rights held by consumers over their personal data. Entities that collect and/ or process this type of data must extend these rights to consumers (in GDPR terms, natural persons known as “data subjects”), or face harsh penalties. Specific rights vary by regulation and region, although GDPR is the most far-reaching of any current data protection regulation. KEY DRIVERS FOR THE GDPR AND CCPA The current push around the world on data protection is the result of several fundamental trends: • Aligning freedoms and responsibilities for data collection and processing of personal data • Equal rules for all • Very public bad behavior with personal data by some companies • The extra-territorial scope of GDPR • Forming new cultural norms where data protection and good business are not mutually-exclusive ENTER THE CCPA As a response to the GDPR, and to increasing privacy concerns by U.S. citizens, the government of the State of California passed the CCPA—Assembly Bill 3752—with great urgency in late June 2018. The CCPA, which is being implemented in the world’s fifth largest economy, is a good example of the type of patchwork of legislation with

INFOGOVWORLD.COM

which organizations worldwide will have to contend. It serves as a call for organizations to develop a common approach to dealing with growing body of privacy legislation around the world. The Act was passed, in part, to preempt a ballot initiative that was to be voted on in November 2018 and that, if passed, would have imposed stricter data privacy requirements. The Silicon Valley titans wanted to avoid that. The new Act introduces several of the principles of the GDPR to state law in California and, like the GDPR, applies to the personal data of people in a defined geography even when handled by organizations outside of that geography. Finally, while California is a populous state, the law applies only to Californian residents and not to the broader United States or North America. CCPA is a local initiative, not a coordinated multi-state one like GDPR.

PRIVACY REGULATIONS ARE SPREADING The GDPR has applicability for data subjects in Europe, but given the extraterritorial scope of this applicability, we have previously called it the “Global” Data Protection Regulation instead of the “General” Data Protection Regulation. GDPR is indeed having global effects, with more than 100 countries around the world implementing laws that draw on the principles of GDPR. Few are as extensive as GDPR, but many share similarities. For example: INDIA India’s Personal Data Protection Bill of 2018 is very closely aligned with the GDPR, including rights for individuals, the tiers and scope of administrative fines, and the need for a legal basis for processing personal and sensitive personal data. Several differences also

exist, such as the requirement for absolute data localization for “critical personal data,” although interestingly this phrase is not specifically defined, and that the State gets its own legal basis. BRAZIL The new General Data Privacy Law 2018, or Lei Geral de Proteção de Dados Pessoais (LGPD), was signed into law in August 2018, and will go into effect in February 2020. LGPD contains many of the same privacy principles of the GDPR, requires a legal basis for collection and processing, applies in-country and extra-territorially, and adopts the two percent of global revenue fine level (but not GDPR’s four-percent one). Data breach notifications are also required. Brazil is yet to create an independent data protection authority, since the President vetoed this section of the law, stating that the task of creating such an agency sat with his office and will be forthcoming. AUSTRALIA Australia recently introduced a new data breach notification law (in February 2017) that extended its existing data privacy legislation. Australia lacks a GDPR-type law at present, although some murmurs are starting to be heard about Australian’s owning their online footprint and personal data, which could indicate a GDPR-type initiative will be forthcoming shortly. Several other U.S. jurisdictions have strengthened their data breach notification requirements—such as Colorado—although most of these breach-oriented initiatives lack the breadth of GDPR and don’t create the consumer rights of access, erasure, rectification, and limitation of processing, among others. WHAT SHOULD YOUR ORGANIZATION BE DOING TO PREPARE AND COMPLY WITH THE GDPR AND CCPA? The GDPR, CCPA and other data protection regulations address a common general theme, but there are overlapping requirements, regional variations, and multiple

inconsistencies. Organizations operating in a single market under a single regulation will have a clearer regulatory pathway, but this is increasingly difficult with online commerce, digital markets, and globalization. While there will always be regional variations to account for—such as notification timeframes and contact details—organizations facing the need to comply with multiple data protection regulations will have to decide on one core guiding principle: to only offer specifically what is required per market, or to more broadly offer the same rights to all consumers anywhere in the world. The choice of a guiding principle will dictate the complexity of an organization’s compliance journey, and with either pathway the following principles will be necessary for compliance. SOLUTIONS TO CONSIDER FOR COMPLIANCE Organizations subject to GDPR, CCPA and other data protection and data privacy legislation require a multi-faceted approach to compliance that includes a balanced set of organizational and technical measures. Technical measures should include: • Security from Threats • Security of Processing • Device and Data Encryption • Backup • Archiving Solutions • Data Governance Solutions • Geo-Ring Fencing • File Analysis and Data Classification Solutions • Pseudonymization and Anonymization • Data Loss Prevention/Data Breach • Identification and Adaptive Protection or Blocking Solutions • Data Infiltration • Identity, Access and Management Solutions • Data Portability Solutions • Application Security Testing • Employee Training • Other Technologies Data protection requires a balanced set of organizational and technical measures. The above technical measures, implemented in line with a

“

A failure to comply with the growing patchwork of regulations will almost certainly result in significant and negative consequences ” clear view of the risks to personal data in an organization, in combination with complementary organizational measures, will help craft a strong data protection approach and culture. SUMMARY Data privacy regulations like the GDPR and CCPA are becoming the norm and organizations must implement a variety of technologies and best practices to ensure compliance with them. A failure to comply with the growing patchwork of regulations will almost certainly result in significant and negative consequences, including direct financial costs through punitive fines, as well as loss of corporate reputation, lost business opportunities, brand damage and the like. OSTERMAN RESEARCH WAS FOUNDED BY MICHAEL OSTERMAN IN 2001. SINCE THAT TIME, THE COMPANY HAS BECOME ONE OF THE LEADING ANALYST FIRMS IN THE MESSAGING AND COLLABORATION SPACE, PROVIDING RESEARCH, ANALYSIS, WHITE PAPERS AND OTHER SERVICES TO COMPANIES LIKE MICROSOFT, AMERICA ONLINE, SUN MICROSYSTEMS, YAHOO!, NETWORK APPLIANCE, IBM, GOOGLE, HEWLETT PACKARD AND MANY OTHERS.

INFORMATION GOVERNANCE WORLD

INFORMATION SECURITY

STAR STRUCK

NAVIGATING “REASONABLE SECURITY” UNDER CALIFORNIA’S CONSUMER PRIVACY ACT | JUSTINE M. PHILLIPS, ESQ.

alifornia is the birthplace of stars, the Internet, and consumer privacy. In 1974, California empowered its residents with an inalienable constitutional right of privacy. Over time, that right has expanded to “shine the light” on mandatory online privacy policies and require consumer notices of data breaches (2003), and public shaming of companies for breaches impacting 500+ citizens (2012). In 2018, California passed the California Consumer Privacy Act (“CCPA”), giving individuals the right to be forgotten and steep fines/penalties for failing to implement reasonable security. Businesses seeking to comply must implement “reasonable security procedures” and practices by January 1, 2020. But navigating a nebulous concept like “reasonable security” can feel like we are ships lost at sea. To find our way home, data must first be charted like luminous lights in the night sky—and we have much to learn from ancient astronomers. THE LAW The CCPA gives Californians the right to bring a civil action against a business for failing to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Statutory damages range from $100-$750 per consumer, per incident. Civil penalties by the

INFOGOVWORLD.COM

Attorney General may also be assessed at $2,500 to $7,500 per violation. The ethical and legal obligation to implement, “reasonable security procedures and practices” to protect personal information from unauthorized access is nothing new—but the damages and penalties give it some teeth. REASONABLE SECURITY The CCPA requires the California Attorney General to publish guidelines on just what “reasonable security procedures and practices” are. Although Attorney General Becerra has yet to issue such regulations, the 2016 Data Breach Report (“Breach Report”) released by former Attorney General Kamala Harris is our North Star. The Breach Report is clear: Failure to implement all 20 controls from the Center for Internet Security’s Critical Security Controls (formerly the “SANS Top 20”) that apply to an organization’s environment “constitutes a lack of reasonable security.” The Breach Report goes on to recommend multifactor authentication, data minimization, and encryption as “reasonable security measures.” Yet, one cannot secure data until it is first identified, classified, and charted. STARGAZING If your ultimate destination is to safeguard your data and systems, then IG is your travel guide. Like ancient astronomers who began charting the stars thousands of years

ago, data mapping uses practical methods of observations to understand and chart the flow of data. Like stars, data is seemingly infinite, constantly expanding, and fills us with a greater sense of mystery and perspective. Early astronomers did not use complex telescopes or software to map out the stars; rather, they looked up at the stars instead of down at their feet. Accordingly, businesses should observe the way employees and third-party service providers access and utilize data, identify where personal information is stored, and begin to map out their constellations of data. MAPPING To draw up your organization’s data map, start with identifying the brightest stars like your customer database or invaluable intellectual property. After identification and classification, move on to specifying all the places that data is located. Information assets and data are often widely distributed and may reside on your servers, in the cloud, with vendors, on mobile devices owned by employees, and beyond. Data maps do not have to be fancy; instead, make them functional. Create the data map in a Word chart, Excel file, or Adobe Illustrator. Use a program that you can modify so the map evolves with additional information you learn about your data. It is only after we identify, locate, and classify the data that we can reasonably secure it. CONCLUSIONS Just as ancient astronomy evolved, our understanding of “reasonable security” will as well. The Attorney General is expected to promulgate regulations in the California Code of Regulations before CCPA may be enforced by the Attorney General in July 2020. The Attorney General’s Office has indicated that it will rely on public comments in setting out those regulations and is conducting a CCPA rulemaking road show in January and February at various locations throughout California. Soliciting feedback from stakeholders in advance of drafting the regulations will hopefully lead to a standard of “reasonable security” that businesses can utilize on their journey towards compliance. Until we have more guidance from the Attorney General, the Breach Report and data mapping will set the course. JUSTINE M. PHILLIPS, ESQ. IS A PARTNER IN SHEPPARD MULLIN’S SAN DIEGO OFFICE IN BOTH CYBERSECURITY AND LABOR & EMPLOYMENT PRACTICE GROUPS. JUSTINE TAKES A PRACTICAL AND MINDFUL APPROACH TO ASSIST HER CLIENTS IN EVERY ASPECT OF CYBERSECURITY FROM DATA IDENTIFICATION THROUGH DESTRUCTION, COMPLEX LITIGATION, AND PRIVACY/SECURITY BY DESIGN. SHE CAN BE REACHED AT JPHILLIPS@SHEPPARDMULLIN.COM.

GETTING SCHOOLED U OF SAN DIEGO HOSTS CYBER LAW, RISK AND POLICY SYMPOSIUM

he University of San Diego’s Center for Cyber Security Engineering and Technology (CCSET) hosted a two-day symposium last November on Cyber Law, Risk and Policy. This event brought together cybersec industry thought leaders to discuss how the law impacts corporate cyber risk and polices. One specific topic was the on-going dialog generated by the California Consumer Privacy Act (CCPA). California is once again leading the nation in privacy rights, as the CCPA is, to date, the most sweeping state legislation governing cyber liability. The CCPA requires the CA Attorney General to “solicit broad public participation” for input to be used to draft regulations to clarify portions of the law, prior to its implementation in 2020. The Symposium provided attendees with the opportunity to hear cybersec experts from law firms, insurance companies, security companies and law enforcement discuss their views on “reasonableness” and reflect on how the law should be and will be implemented. The Cyber Law, Risk and Policy Symposium featured all-star speakers and panelists including representatives from: Microsoft, IBM, Capital One, AAA, the PCI Council, CompTIA, Cylance, SPLUNK, vArmour, FBI, US Secret Service, the US Department of Justice and the San Diego District Attorney’s Office as well as professional service organizations, law firms and insurance companies. This stellar collection of presenters and panelists provided the 100+ attendees with the opportunity to learn real-world insights into cyber centric topics such as: Live Data Breach & Ransomware Attack and Incident Response; Cyber Insurance: From Risk Transfer to Cyber Threat Response; Emerging Tech in the Law: Artificial Intelligence, Internet of Things and Blockchain; and Cyber Security and U.S. Elections and Cybersecurity Strategy: Raising the Risk Conversation. Organized by USD’s CCSET (https://sandiego.edu/engineering/ cyber-security-center) and spearheaded by a robust advisory committee of top cyber professionals, the Cyber Law, Risk and Policy Symposium represents San Diego’s national leadership in the effort to get out in front of the evolving legal landscape of privacy regulations and their intersection with industry compliance regulations. Planning for next year’s Symposium is already underway. To suggest topics or volunteer contact Justine Phillips via email at: JPhillips@SheppardMullin.com or jodiw@sandiego.edu. —Baird W. Brueseke INFORMATION GOVERNANCE WORLD

INFORMATION SECURITY

STEPPING INTO SECURITY ASSESSMENTS – METRICS & EXECUTIVE ENGAGEMENT PART II IN THE SERIES

Before jumping into the topic of assessment metrics, first, a quick update regarding the Center for Internet Security (CIS) controls. Recently released Version 7 separates the 20 controls into three groups: Basic (1-6), Foundational (7-16) and Organizational (17-20) as depicted in the graphic below:

CIS ControlsTM v.7 Basic 1.

Inventory and Control of Hardware Assets

Inventory and Control of Software Assets

Continuous Vulnerability

Controlled Use of Administrative Privileges

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

Foundational 7.

Email and Web Browser Protections

Malware Defenses

9. Limitation and Control

Organizational 12.

13.

14.

of Network Ports, Protocols, and Services

10.

Data Recovery Capabilities

11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

15.

16.

Boundary Defense

Data Protection

Controlled Access Based on the Need to Know

Wireless Access Control

17. Implement a Security

Awareness and Training Program

18.

19.

20.

Application Software Security

Incident Response and Management

Penetration Tests and Red Team Exercises

Account Monitoring and Control

6. Maintenance,

Monitoring and Analysis of Audit Logs

These three groupings aid the organization in prioritizing the activities associated with the controls. Basic Controls are key for all types of organizations and should be implemented to ensure cyber defense is in place. Foundational Controls are the next step. They are technical in nature and implementing Best Practices will provide significant enhancement of cyber-security posture. The Organizational Controls embody some technical aspects; however, they 38

INFOGOVWORLD.COM

are higher level and primarily focused on people and process. Security Assessments are conducted in the context of one or more frameworks. As discussed in Part 1 (in our previous issue), common frameworks include: 1) CIS controls (above) 2) The more comprehensive NIST Cybersecurity Framework; and for Cloud computing, 3) Cloud Security Alliance’s Cloud

Controls Matrix. The purpose of a Security Assessment is to measure the organization’s cyber-security readiness. Initially, the application of metrics to this task can seem dauntingly complex. For example, looking at the first CIS control “Inventory and Control of Hardware Assets,” assessment metrics could include sigma level (1-6) compliance rankings for the following sub-controls:

Sub-Control

Sigma Level

Compliance %

1.1 Utilize an active directory tool

1.2 Use a passive asset discovery tool

1.3 Use DHCP logging to uodate inventory

1.4 Maintain detailed asset inventory

1.5 Maintain inventory info details

< 0.023

1.6 Address unauthorized assets

< 0.00034

1.7 Deploy port level access controls

< 0.62

1.8 Utilize certificates to authorize assets

Keeping in mind that this table represents the measured results for only Basic Control One, it is easy to imagine that the tabular presentation of sigma compliance metrics for all 20 CIS controls could result in an overwhelming amount of mind-numbing data. Therefore, it is clear Security Assessment control compliance must not only be measured, but that the resulting metrics must be presented in a

Radar Chart

10%

35%

Risks

72 35%

10%

Critical High Medium Low Very Low

manner which conveys the prioritized “important” information to a nontechnical audience, while at the same time preserving the detailed data for actionable analysis by the technical team. This can be accomplished using graphics to represent comparative risk levels. (top right) Another way Security Assessment metrics can be presented is in a radar

20. Penetration Tests and Red Team Exercises

10%

chart. (bottom) In this chart, the twenty CIS controls are ranked based on the people (employees) who have been properly trained to participate in the control activities. Note that Security Assessments also take into account the individual’s job descriptions to ensure that even if the employees are trained, they also have the available time required to perform the defined tasks consistently.

1. Inventory and Control of Hardware Assets

19. Incident Response and Management

2. Inventory and Control of Software Assets

3. Continuous Vulnerability

4. Controlled Use of

18. Application Software Security

Administrative Privileges

5. Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers

17. Implement a Security Awareness and Training Program

16. Account Monitoring and Control

6. Maintenance, Monitoring and Analysis of Audit Logs

15. Wireless Access Control 7. Email and Web Browser Protections

14. Controlled Access Based on the Need to Know

8. Malware Defenses

13. Data Protection

Blue = people Red = process Green = technology

9. Limitation and Control of network Ports, Protocols, and Services 12. Boundary Defense 11. Secure Configuration for Network Devices, such as Firewalls, Routers and Switches

10. Data Recovery Capabilities

INFORMATION GOVERNANCE WORLD

INFORMATION SECURITY CIS Critical Security Control CSC 1: Inventory of Authorized and Unauthorized Devices Deploy an automated asset inventory discovery tool and use it to build a preliminary inventory of systems connected to the public and private networks

Medium

Remediation Strategy Implement remediation actions in a reasonable amount of time

CSC 2: Inventory of Authorized and Unauthorized Software Devise a list of authorized software and version that is required in the enterprise for each type of system, including servers, workstations, and laptops

Low

Implement remediation actions after critical and high risks are addressed

CSC 3: Secure Configurations for Hardware and Software Establish standard secure configurations of operating systems and software applications and images should be validated and refreshed on a regular basis

Low

Implement remediation actions after critical and high risks are addressed

CSC 4: Continuous Vulnerability Assessment and Remediation Run automated vulnerability scanning tools against all systems on a weekly or more frequent basis

Critical

Implement remediation actions immediately

CSC 5: Controlled Use of Administrative Privileges Minimize administrative privileges and only use administrative accounts when they are required. Implement focused auditing on the use of administrative priviliged functions

Medium

Implement remediation actions in a reasonable amount of time

CSC 6: Maintenance, Monitoring and Analysis of Audit Logs Include at least two symchronized time sources from which all servers and network equipment retrieve time information on a regular basis

Critical

Implement remediation actions immediately

CSC 7: Email and Web Browser Protections Ensure that only full supported web browsers and email clients are allowed to execute in the organization

Medium

Implement remediation actions in a reasonable amount of time

CSC 8: Malware Defenses Employ automated tools to continuously monitor workstations, servers, and mobile devices with anti-virus, anti-spyware, personal firewalls, and host-based IPS

Low

Implement remediation actions after medium risks are addressed

CSC 9: Limitation and Control of Network Ports Ensure that only parts, protocols, and services with validated business needs are running on each system

Medium

Implement remediation actions in a reasonable amount of time

CSC 10: Data Recovery Capability Ensure that each system is automatically backed up on at least a weekly basis, and more often for systems storing sensitive information

Medium

Implement remediation actions in a reasonable amount of time

Security Assessment results can be visualized using an Infographic to summarize the overall all security posture (see chart above.) Security Assessment Metrics can also be evaluated by looking at which part of the assessment they are associated with. The metrics for a Penetration Test will be much different than the metrics resulting from a Security Skills Assessment. The bottom line is that Assessment metrics must be presented in a manner that is appropriate for the audience. This leads to another key point: executive engagement. It is fundamentally important that the executive team be an active participant in the Security Assessment 40

Risk

INFOGOVWORLD.COM

planning and review process. Firstly, C-level executives have a fiduciary duty to the organization to protect corporate assets and therefore it is imperative that they are participants in the organization’s security posture. Another important issue is that the findings of the Security Assessment may not be acted on unless the executive team agrees to prioritize the remediation activities. Presentation of Security Assessment metrics in an easy to understand format that conveys the important information efficiently will ensure executive team support. It is important to select the most appropriate framework for your Security Assessment, to involve the C-suite, and that the results are presented in

a manner that is tailored to specific audiences. If these guidelines are followed, your Security Assessment will provide actionable insights that, if acted upon, will help keep your organization’s information assets secure. BAIRD BRUESEKE HAS 25-PLUS YEARS OF EXPERIENCE LEADING COMPANIES AND DESIGNING SOLUTIONS TO SOLVE CUSTOMER PROBLEMS. HE CO-FOUNDED WHEB SYSTEMS WHICH GREW FROM A TWOPERSON START UP TO BECOME CAPTIVA SOFTWARE; A PUBLIC COMPANY WITH OVER 400 EMPLOYEES PURCHASED BY EMC. AFTER CAPTIVA, BAIRD’S INTERESTS TURNED TO EDUCATION AND CYBERSECURITY. HE CO-OWNS A PATENT AND CREATED A CLOUD-BASED PORTAL, CLAAS – COMPUTER LAB AS A SERVICE - WHICH PROVIDES ACADEMIC INSTITUTIONS THE ABILITY TO DELIVER A HANDS-ON COMPUTER SCIENCE LABORATORY EXPERIENCE TO DISTANCE LEARNERS. HE CAN BE REACHED AT BB@INFOGOVWORLD.COM

REDUCING THE RISK

SECURITY AWARENESS TRAINING – WHAT LEADING VENDORS THINK IS IMPORTANT

ecurity Awareness Training (SAT) can be an easy win for IG Programs. Implementation of a SAT program almost immediately reduces corporate risk. Knowledge retention testing and metrics confirm that employees have been trained, and the likelihood of an employee being tricked into providing network access to bad actors is reduced. So even though humans remain the weak link in cybersecurity defenses, the implementation of SAT programs significantly enhance corporate cybersecurity posture and provide executives with documented evidence that they have taken proactive steps to reduce risk. SAT under the umbrella of an IG program involves the entire employee base in a common activity that encourages behavior that enhances corporate security. This group participation combined with effective and on-going messaging, it leads to curious employees eager to find out what’s next. IG World embarked on a project to talk with leading SAT vendors and find out what they think is important. These vendors were identified as leaders in the SAT market: Global Learning Systems globallearningsystems.com Inspired eLearning inspiredelearning.com KnowBe4, knowbe4.com Media Pro, mediapro.com Ninjio, ninjio.com Phish Labs, phishlabs.com SANs Institute, sans.org Security Innovation, securityinnovation.com Wombat Security, wombatsecurity.com

IG World spoke with Gretel Egan, Product Evangelist for Wombat Security to find out how Wombat approaches the difficult process of changing human behavior. Gretel said “It is a mind shift, companies need to prioritize SAT on the same level as other job skills.” The Wombat Security SAT platform helps employees learn in small, incremental steps. Wombat believes that micro learning leads to better knowledge retention. Proofpoint, who acquired Wombat in 2018, has published research which shows that cybersec criminals primarily target people, not systems. This research supports the premise that humans are the weak point in cybersec defenses. The leading SAT companies all have platforms that integrate with corporate Learning Management Systems (LMS). One of the differentiators is the ability to integrate with IT Help Systems so that system administrators are notified when simulated phishing campaigns are initiated. This feature is an ease-of-use consideration which is especially useful in large organizations. Inspired eLearning’s VP of Marketing Kirk Wright told IG World that the ROI justification for purchasing SAT solution is simple. “I ask prospects ‘to think about how much money they spend on IT budgets for firewalls and other IT equipment” then I tell them ‘that with one click, a single employee can negate that entire budget.’ This is why SAT is important.” Recently, Inspired eLearning released new Vishing Capabilities for its PhishProof platform. Vishing is the use of social media to compromise unsuspecting employees. It is important for SAT vendors to

continuously update their training materials and Inspired eLearning is the first to offer Vishing training as a fully integrated part of their platform. KNOWLEDGE RETENTION THROUGH ENTERTAINMENT Knowledge retention is fundamental to the success of a SAT implementation. Ninjio has a unique approach to their training which engenders significant audience engagement through the use of American anime cartoon-like videos. Each month, Ninjio produces new animated videos, generally two to three minutes long. These videos are designed to convey cybersecurity lessons in an entertaining and engaging manner that employees will remember. Ninjio uses Hollywood writers to develop scripts based on real-world events. The actual company names are anonymized, but the scenarios are real, making the lessons more likely to stick. Ninjio founder and CEO Zack Schuler feels a tremendous amount of responsibility to provide quality content. Schuler told IG World, “I want to make sure I am reaching people with the most accurate information possible.” He went on to say, “Today we are saving data, in the future we (SAT) will be saving lives.” (The future may be closer than you think. You can read about medical device cybersecurity on page 14.) All of the leading SAT vendors have products which reduce corporate risk by educating employees to recognize potential threats and thus reduce the possibility of their being tricked into providing corporate information. In the next issue, IG World will examine the benefits of providing SAT to employee’s families. —Baird W. Brueseke INFORMATION GOVERNANCE WORLD

Human

The Ashish Gadnis Co-Founder & CEO, BanQu/Social Enterprise Entrepreneur

INFOGOVWORLD.COM

INTERVIEW WITH ASHISH GADNIS

HELPING THIRD WORLD CITIZENS ESTABLISH IDENTITIES WITH BLOCKCHAIN

BY ROBERT SMALLWOOD / PHOTOGRAPHY BY NIKKI ACOSTA Growing up in poverty in Bombay, Ashish never forgot how it felt to stand in food lines to survive. He went on to build a successful career as a serial entrepreneur, serving as founder and CEO of multiple technology startups delivering global mobile solutions. In 2012, he sold his last tech company to a multi-billion-dollar consulting firm and soon after, BanQu Inc. was born. Recognized for its groundbreaking for-profit/forpurpose innovation, BanQu has been the recipient of many awards including the MIT Enterprise Forum Pan Arab Innovate for Refugees Award, an Innovative Finance Grant from the Rockefeller Foundation, Best of Show at 2016 Finovate Awards, and 2016 Cashless World Award. Ashish has also earned awards for advancing progressive business solutions, technology, startups and social enterprise in extreme poverty and conflict zones. These include Young Global Leader - World Economic Forum, Minority Business Leader - Twin Cities Business, 40 under 40 - Business Journal, and Change-Makers Innovator Award for Coding Schools in Refugee Camps in East Africa. In addition to his role at BanQu, Ashish is also a senior strategic advisor to the United Nations on the Sustainable Development Goals 2030 agenda.

Touch

InfoGov: Where did you grow up? How would you describe your childhood? AG: I grew up in Mumbai, India. I grew up in poverty; we didn’t have much. We had to share one bathroom/toilet with 15 other families. I hated being poor. It was a struggle mostly. Standing in ration lines (for food) 3-4 hours every day was life. Where did you go to university and what did you study? What was your favorite subject? I went to Bombay University (I got a scholarship) to study engineering. I majored in Electronics and Systems Engineering. I really didn’t have a favorite subject, as all I cared about was getting a degree and getting the hell out of poverty. Who was your favorite professor, and why? My all-time favorite professor was Prof. Ricardo Hausmaan at Harvard Kennedy School, who teaches economics. Absolutely hands down the best professor, as I learned about his “jumping monkey” theory / global economy model, which has shaped my thinking around “trade not aid” to end extreme poverty. Tell us about your first venture in the computer business. I started my first job working on A Series mainframes back in 1989. My first startup was NonStopWireless back in 1999, a platform to help firefighters access building schemas so that they would know where gas lines were before they entered a building. When did you first hear of blockchain technology? In 2013, when I was volunteering in East Africa for USAID.

INFORMATION GOVERNANCE WORLD

INFOGOVWORLD.COM

PHOTOS ON OPPOSITE PAGE PROVIDED BY ASHISH GADNIS Ashish likes to work in his kitchen where philosophy and technology are just as important as what to make for dinner; Relaxing in his Texas home, Ashish enjoys a brief interlude from his hectic travel schedule.

We heard about your work helping underprivileged people in third-world countries. Can you tell us more about how that project developed? What were the biggest challenges? Our company BanQu is a software-as-a-service blockchain platform that is for-profit / for-purpose and dedicated to connecting millions of people who live in extreme poverty to the global supply chains they participate in, but are left out every day. We are on a mission to empower 100 million out of extreme poverty by the end of 2023. We have 3 big challenges that we encounter and overcome every day: First, traditional aid and social enterprise models take a pity approach. We take a dignity approach to ending extreme poverty. So, the challenge is changing the mindset around poverty. Second, most consumers don’t know that their coffee and jeans and shea butter and iPhone batteries are coming from extreme poverty zones where a family of eight makes less than $2 a day. Our challenge is getting large global brands and their consumers to recognize the “last-mile” in their supply chains. Finally, while most of the world either loves or hates bitcoin/ cryptocurrencies, there is very little awareness that the underlying technology––distributed ledger technology (DLT, aka blockchain) ––is much more than that. And that non-cryptocurrency blockchain platforms like BanQu are enabling people to climb out of poverty.

Our challenge is getting large global brands and their consumers to recognize the “last-mile” in their supply chains. How is it benefitting those who participate? At BanQu, we are extremely blessed to have customers like AbInBev, IDB, Shell Foundation, MARS, and JTI (among others) that see the value of BanQu in their supply chains to create transparency and traceability in a way that is not only profitable, but creates a significant positive impact in the communities they operate in. As for the “last-mile” (i.e., farmers, laborers, etc.), BanQu creates an economic identity that empowers the poorest to prove they exist in the world’s supply chain with dignity and credibility. A direct path out of extreme poverty. Permanently. Access to a digital identity is a big benefit that opens up future economic opportunities. INFORMATION GOVERNANCE WORLD

Special Thanks MAGNETIC FOCUS PHOTOGRAPHY N I KKI ACOSTA

I find myself being completely at home and sporting a huge grin when I am behind the lens. I’ve always had a passion for people and being able to capture pieces of my interactions with all shapes, sizes and personalities is a total dream job. I believe that every person has that one detail or factor about them that is worth doing a double take for; that special something that pulls you in. I’ve always photographed with the intention of focusing on the beauties, the layers, the colors and the vividness of every person or event I encounter. In a world so separated by many factors, I believe photography can be a medium that gathers people together and can further prove that we are all worth taking a moment for, we are all magnetic.

FACEBOOK.COM/MAGNETICFOCUSPHOTO 46

INFOGOVWORLD.COM

You also have a for-profit side of your business. Can you describe the use cases you solve, and how companies are benefitting? We have been generating revenue for almost two years now. Global corporations pay annual license fees for access to our cloudbased blockchain platform. BanQu increases efficiency in their supply chain by providing a seamless end-to-end “track and trace” mechanism. BanQu increases profitability because global brands have lower postharvest (or production) losses and unpredictability. BanQu delivers on key UN SDGs (Sustainable Development Goals) like gender equality, poverty reduction, and climate protection compliance (like the Roundtable on Sustainable Palm Oil - RSPO). What other emerging uses of blockchain technology do you see as promising? The big ones are: crop insurance for the poorest farmers, lower cost of credit for marginalized communities, education certifications for refugees and the displaced, health records for the poorest etc. What advice do you have for organizations wanting to explore the use of blockchain technology? The time for “wait and see” is over. You have to start. Start small, but start. Who is your most inspiring business leader and why? Mother Teresa. Because she saw Christ in every soul.

Most consumers don’t know that their coffee and jeans and shea butter and iPhone batteries are coming from extreme poverty zones where a family of eight makes less than $2 a day. If you could have dinner with three people, living or dead, who would they be and why? Rosa Parks, Mother Teresa, and Winston Churchill. Because each of them had three traits I value: resilience; fought for justice and equality for a better world; fearlessness. What is your favorite way to spend your free time? I haven’t taken any time off since the end of 2012. But if I had to, I would sit in my backyard staring at the hills and trees and meditating. What is the best vacation spot you have found? Haven’t found one yet. But my absolute favorite city in the world is Bogota, Colombia, because it’s where I experienced the freedom of having my own toilet for the first time in my life. I was 22 years old.

ASHISH GADNIS

CO-FOUNDER & CEO, BANQU/SOCIAL ENTERPRISE ENTREPRENEUR Ashish Gadnis is the co-founder of BanQu Inc., the first ever blockchain supply chain and economic identity platform for refugees and people in extreme poverty. An award-winning financial tech company with a social cause, BanQu strives to eradicate poverty by connecting the “unbankable” to a secure, portable digital economic identity -- simply through a cellphone app. This revolutionary technology provides a pathway into the global economy, creating Dignity Through Identity™ for people worldwide. Growing up in poverty in Bombay, Ashish never forgot how it felt to stand in food lines to survive. INFORMATION GOVERNANCE WORLD

Instructor-Led Classroom Training on IG with Leading IG Trainer Robert Smallwood Attend this popular classroom course held at one of the most beautiful college campuses in the world, the University of San Diego, which overlooks the Pacific Ocean. Taught by IG thought leader Robert Smallwood, the world’s leading trainer and author on IG topics, students get personal attention to ensure they grasp key IG concepts and can apply them to their work. The first day covers IG Basics including the IGP Certification Prep Crash Course, followed by two days of Advanced IG Training. The course is based on Smallwood’s groundbreaking text, Information Governance (Wiley, 2014, 2019), and also supplemental course materials.

3 Day Basic & Advanced Intensive Course

University of San Diego April 9-11, 2019 (Tues-Thur) Tuition Cost: $1,695* (Group discounts are available for 3 or more from the same company.)

Past attendees include IG professionals from major law firms, leading corporations, and large government agencies, including:

Includes: Tuition, Breakfasts, Coffee Breaks, and Supplemental Materials. NOTE: You must purchase the textbook prior to class. Housing options include nearby hotels in partnership with USD.

University of Miami November 19-21, 2019 (Tues-Thur)

3 Day Basic & Advan ced Intensiv Course e

* SUPER EARLY BIRD DISCOUNT: ($300 discount) Register by May. 19, 2019 Cost: $1,395 * EARLY BIRD DISCOUNT: ($200 discount) Register By Aug. 19, 2019 Tuition Cost: $1,495

“The 3-day training was very educational, and the small classroom environment made it even more interactive.” —RIM Manager, Fortune 500 Corporation

Topics Include: • • • • • • • • • • • •

Failures & Lessons Learned in IG GDPR, Big Data Impact IG Imperative IG Principles Role of Data Governance in IG IG Risk Assessments Strategic Planning for IG IG Policy Development IG Program Management Infonomics: The Value Side of IG IG for Legal Functions & E-discovery IG for RIM

• • • • • • • • • • • •

IG for IT Privacy Functions in IG IG for Email, Social, Mobile, Cloud SharePoint IG Digital Preservation Information Asset Registers Taxonomies & Metadata Cybersecurity in IG IG for Emerging Technologies The Role of Executive Sponsorship in IG IG Best Practices Developing Key Metrics for IG Programs

Take advantage of this exclusive training opportunity to educate your IG team! Seating is limited, reserve yours today at IGTraining.com, or call us at 888-325-5914!

ANALYTICS & INFONOMICS FOR THE RECORD

INTERVIEW WITH RICHARD KESSLER, KPMG

PHOTOGRAPHY BY ROBERT OCHARO / PIXEL LENZ STUDIO

ichard Kessler is a Director in the Cyber Services practice at KPMG, and specializes in IG, data governance, and operational risk control. He is part of the Strategy and Governance pillar with a specific focus on enterprise data and IG, and privacy. He advises firms on ways to design and implement programs that address IG, RIM, e-discovery, privacy/EU GPDR compliance, operational risk management, litigation readiness and response, data governance, technology risk, and enterprise change management. He has extensive experience working with organizations in the financial services, pharmaceutical, healthcare, biotech, legal services, insurance, retail, and aerospace industries, as well as with assisting law firms and attorneys with litigation, regulatory, and general investigative readiness and response. Where did you grow up? Go to school? I grew up in Bayside in Queens, NY and went to Polytechnic School of Engineering at NYU. What were your interests as a kid? I was interested in science, history, cycling, camping, fishing, basketball, volleyball, electronics, music, art, and just about anything related to computers and technology. My older brother taught me how to build computers––he was an expert coder at an early age before it was mainstream––and the first PC I built was an Apple II clone. Later on, when I was a high school senior, our school received a new client/ server classroom and the teachers didn’t know how to set it up. They handed the manuals to me and my friends and we set up the network for the school. How did you get into the records management side of the business? After interning at Chase Manhattan Bank as a helpdesk systems administrator while in college, I decided I wanted to work in technology roles on Wall Street as a career. I worked my way up the chain to technology infrastructure management; and after approximately 15 years at large financial services firms, I landed a lead role in IT at Citigroup Asset Management, based at 7 World Trade Center. On the day after September 11, 2001, I became responsible for the production recovery of the systems lost due to the terrorist attack. After recovery events, my management asked if––given my unique role during the recovery––I would help the firm to understand what data was important to our clients and to our business operations. This would help inform technology going forward and how to make available and best manage the most important data for the

INFOGOVWORLD.COM

firm, and improve our resiliency. My first records management role had a very practical, very real, post-9/11 focus. In addition to other responsibilities, I took on a records management role for Citi Global Investment Management technology. When did you move into more of an Information Governance role? Following my records management role, I worked for a few years as a data architect and business process reengineering evangelist focusing on trade automation and systems integration. That was a healthy departure from my roots and an opportunity to gain more of a business perspective on data. A tremendous opportunity arose in Citi Architecture and Technology Engineering to work on records and electronic communications management for Citi firm-wide. This was a dream job for me, and I landed the role. This included a year-long analysis of firm wide operational, security, discovery, risk, and records management requirements, focused on unstructured data and, in particular, electronic mail communications. I joined Citigroup’s Records Management steering committee, became interested in electronic discovery in 2005, and helped launch efforts to improve eDiscovery in 2006-2007––just after the first electronic discovery changes to the Federal Rules of Civil Procedure. This led to a more holistic perspective of many different domains related to data and information management. Put simply, this changed not only how the data and information was stored and managed, but also how it was accessed and used by business units and corporate functions, and the many purposes it serves. What key skillsets are most in demand in the IG space? My view is that real-world experience is vital. In particular, individuals with multi-disciplinary perspectives and bigpicture views, who can also grasp how to operationalize information governance concepts, will have the most to offer. IG also requires individuals with high emotional intelligence because of the different types of individuals we seek to bring together. IG leaders should value people of all opinions, backgrounds, and views; the magic of IG lies in bringing many leaders and subject matter experts together in a cohesive way such that the sum is always greater than the parts. Creating an environment that fosters collaboration and encourages healthy conflict and challenge is one of the most important skills to have if one wishes to be successful. In the near future, skillsets related to artificial intelligence will become vital; but at this moment, skills and experience in data science and analytics, privacy, security, agile development, intelligent automation and business process reengineering,

“

Creating an environment that fosters collaboration and encourages healthy conflict and challenge is one of the most important skills to have if one wishes to be successful”

Richard Kessler, KPMG.

INFORMATION GOVERNANCE WORLD

ANALYTICS & INFONOMICS data governance, information lifecycle (records management rebranded), and investigations (including eDiscovery) are all important. A strong foundation in technology is essential, and even better when coupled with law, risk management, or compliance. How would you compare working as an IG professional, as you did at UBS, versus performing IG consulting work? In my experience, I would compare it to the role of a plumber, electrician, or carpenter in building a house, or some combination thereof, as opposed to being the general contractor, engineer, architect, and builder. In-house roles typically limit IG professionals to a particular domain. All of those roles are vital, but now I’m being given the opportunity to design the village and have the benefit of an aerial view when inspecting a building site, as opposed to being inside the house while working on it. I’m blessed in that I’ve loved my work for decades, continue to be very passionate about it, and now consulting allows me more variety and work adventures than ever––and a chance to work on our clients’ most difficult problems. Most importantly, I feel that the work I’ve done as a consultant has helped inform my worldview of governance because I’ve been able to evaluate and assist multiple firms, across industries, as they tackle the same issues. For someone who is interested in having a broad and holistic view of what’s happening in the world today, it’s like being a “kid in a candy store.” IG had a rather slow awakening in the United States. Do you see that changing? What forces or influences are impacting that shift? Regardless of its original awakening, I see the adoption of IG in the U.S. accelerating significantly. This is due to disruptive forces that require firms to quickly modernize and adapt to new technology. Digital transformation, AI//intelligent automation, focus on the customer, new regulations, and, in general, and the explosion of data (e.g., IoT) are amongst the key disruptors and strongest forces that create the imperative for an integrated, simplified, and aligned view of data and information 52

INFOGOVWORLD.COM

at an enterprise level. Without IG, I don’t know how organizations develop a clear view of information risk, for example. Lacking a unifying function, the right hand simply will not have the bandwidth to know what the left hand is doing, figuratively speaking. However, I’ve seen a paradigm shift. Organizations are finally waking up to the business need for governance and I am thrilled to help them succeed in this transition. Information and data governance must be tied to the bottom line: what’s growing the business, what’s serving the clients, what’s driving innovation, and new product development. I strongly believe this is the key element that was missing historically. Sophisticated organizations now lead with value creation as a basis for establishing IG, while also including those things that are value-enablers (e.g., privacy, security, compliance) and embedding them as part of the design of every business or technology change. IG needs to be seen as an innovation accelerator, and not an inhibitor, for it to take root. How has the EU GDPR legislation impacted your U.S. clients? In anticipation of U.S. regulations that could come in the wake of the EU’s GPDR, and evidence of that reality arriving in the form of the California Consumer Privacy Act, our clients are realizing that addressing privacy appropriately requires a paradigm shift in thinking––in corporate culture, and most importantly how the personal data is governed. For example, using opt-out mechanisms are no longer sufficient as a sign of consent; consent settings and data gathering and management will have to change on all of their platforms in order to be compliant. The consent mechanism also has to be closely linked to the processing activity to prevent unlawful processing. Doing this consistently and at an enterprise scale is challenging, to say the least. These are just examples of other rights Americans are taking more and more seriously as they realize the dangers of unfettered abuses of data, over-collection without proper safe handling, and, in particular, the risk that data breaches may bring to an individual’s everyday life. It will take most organizations years to truly understand all of their data-processing activities

connected with personal data, so data privacy regulations have warranted taking a risk-based and risk-prioritized approach vs. a boiling the ocean, remediate-all approach. Also, organizations that think they may not subject to such requirements may need to take a closer look. For example, GDPR impacts many U.S. firms without a physical presence in the EU who participate in the EU digital single market––firms that electronically monitor the behavior of, or intentionally market products or services to, individuals in the EU. What is your take on some of the IG assessment models, such as the IG Process Maturity Model from CGOC or ARMA’s IG Maturity Model? I have made use of these types of models extensively in my career. Advancements in thinking about governance do not throw out the matured concepts in these models, but rather build and expand upon them, and, in particular, shift the emphasis that these models had on legal, risk, and compliance elements to those that would represent more of a business, client, and product-oriented view of data. In others words, these IG models have a lot of value, but have fallen short in capturing the attention of the C-Suite because the big picture is to transform and innovate or die, grow your business, create an agile enterprise, etc., and such frameworks have unfortunately (and often incorrectly) been viewed as inhibitors to progress. We hear KPMG is developing its own IG methodology. Can you tell us more about how that came about and where it stands?

Thought leaders across several practices contributed to a new approach to IG that enables positive business value by addressing the disruption that innovation in each domain can create. By viewing disruption as an opportunity and recognizing data as a strategic asset capable of empowering new business, our new framework represents a dramatic shift from the traditional models. We leverage governance with a focus on profit-generating activities, providing the organization what it needs to enable value. Areas such as addressing privacy, security, investigations, and lifecycle requirements are “baked in,” without being the primary focus. The approach has allowed firms to operationalize governance as a way to first achieve its primary objectives, all while embedding X by design, where X equals the aforementioned (e.g., risk, compliance, information protection etc.). Infonomics is a new hot topic area in IG. Can you generally describe your work in this area? While closely working with our clients, we’ve been exploring innovative ways to operationalize governance through proprietary approaches. These approaches are designed to quickly risk- and value-profile data in a way that enables informed decision-making around key data management activities. In contrast, many data valuation models and platforms being developed now are so complex, and so onerous from a data-collection perspective, that despite today’s technologies and computing horsepower, they may never be completed. To me, a parallel is the difference between modeling weather vs. walking outside, looking at the clouds, and knowing from experience that it is likely going to rain. It only takes a few seconds vs. millions or billions of calculations. There is a lot of readily available data and metadata that can be utilized; you just need to know where and when to look. What advice do you have for companies wanting to manage and monetize their information assets? Scaling traditional approaches and building ever-more complex models to mimic our increasingly complex world is not always the answer. The answer to many of our difficult problems lies in a radical re-thinking and new approaches to analysis; for example, looking for opportunities to make decisions on metainformation, rather than the detailed valuation attributes and underlying, gigantic pools of data. They are only going to get bigger and more complex; and if you miss a key data

source that would change your decision, you’ve failed. The answer is in how the monetization works, not how much data can be channeled into the models, which is what I’m seeing now. Firms are getting smarter about the cost-benefit of complex data modelling. They are paying more attention to origins and quality of the information they are relying on for key business decisions and risk management. What hobby or special skill do you have that might surprise your colleagues? What is your favorite book? Movie? I absolutely love scuba diving and, in particular, the disconnect from technology and the digital world that comes with underwater exploration. It is incredibly relaxing and peaceful to me, although some may think it is a terrifying activity to have as a hobby (I would advise them to try it with certified instructors). I also love to drive, and have explored a good part of the U.S. by car; although, there are many roads I’ve yet to explore in the U.S. and abroad. My favorite nonfiction book is Getting Things Done; it’s had a dramatic impact on my life and inspired me to pursue continuous learning, while maintaining a focus on the most important work of the day. My favorite fictional book (there are many) is probably Neuromancer by William Gibson. It opened up my imagination and filled me with wonder about the future. This won’t surprise you, but The Matrix is my favorite movie. Many sci-fi concepts in Neuromancer and The Matrix are becoming a reality today; that is more often than not an unsettling thought. What do you like most about New York City? What is your favorite lunch spot? New York is an adventurer’s paradise. It is constantly changing, improving, growing, and transforming––seemingly all for the better, especially when I compare it now to when I was growing up there decades ago. My favorite lunch spot is Virgil’s in Times Square; I’ve never been disappointed there and I enjoy the relaxed atmosphere. However, I’m always looking for a new favorite and thanks to NYC’s diversity, the opportunities are limitless. —Robert Smallwood RICHARD KESSLER IS A DIRECTOR IN THE CYBER SERVICES PRACTICE AT KPMG, AND SPECIALIZES IN IG, DATA GOVERNANCE, AND OPERATIONAL RISK CONTROL. HE IS PART OF THE STRATEGY AND GOVERNANCE PILLAR WITH A SPECIFIC FOCUS ON ENTERPRISE DATA AND IG, AND PRIVACY. HE MAY BE REACHED AT RKESSLER@KPMG.COM

News

ALATION SUPPORTS INFONOMICS Alation, a leader in the enterprise Data Catalog market has augmented its platform with increased support for the Chief Data Officer (CDO). CDOs looking to manage their data as an asset will benefit from the implementation of Infonomics principles in the form of data asset valuation models which are built into the platform. Support for both the Intrinsic Value of Information (IVI) and the Business Value of Information (BVI) models enables consistent comparisons across information classes. Infonomics metrics are now embedded in the Data Catalog. Alation’s leadership in the machine learning Data Catalog market will be accelerated by the recent infusion of a $50 million Series C funding round. The planned investment in engineering resources will build on the current Infonomics foundation and continue the evolution of a transformational product. There is a new breed of CDOs focused on maximizing the value of data. The city of San Diego (IG World’s headquarters) has been named the nation’s top performing data-driven city. The City’s commitment to open data has resulted in award winning projects such as its StreetsSD street maintenance initiative. In addition to the public, San Diego’s CDO Maksim Percherskiy uses big data analytics to share information with 11,000 employees in 35 separate departments. The evolving use of IG tools is beginning to maximize the value of data across diverse sets of systems, databases, and IoT devices, like smart parking meters. This trend will continue as companies like Alation invest research funds in the implementation of Infonomics methods. —Baird W. Brueseke INFORMATION GOVERNANCE WORLD

ANALYTICS & INFONOMICS

MASTER OF YOUR OWN DOMAIN THE ROLE OF INFONOMICS APPLICATIONS IN ENABLING INFORMATION GOVERNANCE | BY NEIL CALVERT

s demands on data and analytics to support successful decision-making increases, implementing an Information Governance strategy that goes beyond “we store everything” will be of critical importance. Investment into data & analytics work supports a wide range of business drivers such as improving operational cost efficiencies, business transformation, and overall business agility. Not all data is equal, which means there cannot be a single view of IG. New privacy roles, such as the GDPR’s Data Protection Officer (DPO), help users view data and the information it produces in new ways. Coupled with the principles of Infonomics— the measurement, management, and monetization of data—creating an effective IG strategy should be an evolving and graduated approach that acknowledges the value of an organization’s information assets. Figure 1 - Infonomics Model; Measure, Manage, and Monetise Information IG requires consideration of all four pillars of the business; people, process, technology, and information. It is the combination of these pillars that will ensure that IG principles are successfully adopted across the

business. Executive sponsorship, stakeholder consultation, information policy development/communication, information integrity, information organization/classification, information security/privacy, information accessibility, information control, information monitoring/auditing, and continuous improvement are significant elements of an IG program. Getting started can be challenging. Take the wrong approach and correction can be expensive. Although “Master Data Management” is where many businesses end up, the answer to the fundamental question of “what is my master data” remains elusive. Infonomics provides an approach to IG based on the value of information to the business. By understanding how information contributes to business outcomes, a methodology can be applied to assist in the prioritization of the work needed to implement effective IG. When Infonomics is implemented into a platform that accelerates the discovery of information value across the organization, the starting point for the IG conversation shifts to business value. If Infonomics is to assist in the development of the IG Strategy, the business must manage information as an asset. This requires new thinking based on the who, what,

where, when, and why of information. These are the questions that need to be answered if an IG strategy is to be based on the value of the contribution of information to the business based in evidence rather than opinion. LINQ brings Infonomics to life in a simple way so that information can be managed as an asset. LINQ informs business owners of the value of their information so that it can be applied in new ways to deliver business success. Figure 2 - The LINQ Language; building a Digital Twin of the business LINQ models the relationships between the four business pillars (people, process, technology, and information) from the perspective of how information flow delivers business outcomes. This model, or “Digital Twin,” becomes a representation of what really happens as information flows from source (data) to output (assets that enable a business outcome) per the LINQ language (see figure 2). By understanding the value of the information that enables the outcome at the end of the information flow, the value of the people, systems, processes, and interim information that enables the ultimate asset to be created, can be identified. The LINQ graphical workflow

Figure 1 MEASURE INFORMATION: • Quality • Value • Economics

MONETISE INFORMATION: • Justification • Inspiration • Execution Generating measurable economic benefits from or attributable to available information assets.

Source: Gartner February 2018 © Gartner

INFOGOVWORLD.COM

Gauging and improving information’s economic characteristics.

MANAGE INFORMATION: • Barriers • Frameworks • Organization/roles

Applying traditional asset management principles and practices to information.

Figure 3

INFORMATION FLOW – THE PURPOSE OF INFORMATION Action

Creates

Automates

System

Info

Supports

Supplies

System

Creates

Action

Info

Delivers

Used By

Business Outcome 2

Outcome

Output 1

Performs

People

Business Outcome 1 Outcome

System

Output 1 $17,200

SYSTEMS & PEOPLE – THE ENABLERS

Output 2

Output 2 8

Info

$41,000

Info 10

Figure 2 $5,200 Action 8

models and correlates data inputs, preparation and transformation steps, reporting outputs, business decisions, actions arising, and resulting business outcomes. It enables analysts to communicate and make transparent the true business impacts of different information, surface hidden dependencies and evaluate the impacts of any changes to the information, systems, and people needed to achieve business success. By orchestrating the organization’s understanding of its people, systems, and information, and value in business terms, LINQ helps to proactively facilitate a robust approach to IG. These insights are critical to the development of an IG strategy that will support activities to protect information of value whilst ensuring information of lower value is de-prioritized in terms of overall governance. Once the information flow is understood, the full principles of infonomics can be applied through the model to build a comprehensive value perspective. Of interest are Business Value Index (BVI) and Intrinsic Value Index (IVI). By recording the

validity, completeness, scarcity, and lifecycle of the information created by people and systems, BVI can be calculated as information traverses the business. When business relevance and timeliness are included, IVI is understood (see Figure 3). Figure 3 - Infonomics in LINQ - measuring BVI and IVI Including these quantifiable and qualify-able Infonomics-based data into an IG framework ensures that business value is the driver for your strategy, not the varied opinions of the people who believe their information is the most critical. As platforms like LINQ come onto the market, perhaps the most compelling reason for considering them is their ability to increase the level of discipline applied to managing information, treating it as the valuable asset it is. Through these new, value-based insights, the work required to develop and implement Information Governance strategies will become simpler, evidence-based, and more easily achieved. Thus, Infonomics software applications enable Information Governance programs to be more successful.

NEIL CALVERT IS A CO-FOUNDER, CO-INVENTOR, AND THE CEO OF LINQ, BASED IN WELLINGTON, NEW ZEALAND. NEIL HAS SPENT HIS VARIED CAREER ENABLING ORGANIZATIONS AROUND THE WORLD TO BENEFIT FROM AN INCREASE IN KNOWLEDGE ABOUT THE POWER OF THEIR INFORMATION ASSETS. SINCE 2014 NEIL HAS BEEN DRIVING LINQ’S APPROACH TO INFONOMICS BY EDUCATING PEOPLE HOW REPRESENTING THEIR BUSINESS AS A DIGITAL TWIN HELPS THEM SAVE MONEY AND THROUGH SIMULATING CHANGE IN THE CLOUD BEFORE IMPLEMENTING IT IN THE REAL WORLD. OUTSIDE OF WORK, NEIL IS A KEEN COOK AND ALSO TRAINS IN THE MARTIAL ART OF SHAOLIN KEMPO. HE LOVES NOTHING BETTER THAN FAMILY TIME SPENT OUTSIDE AROUND THE BEAUTIFUL NEW ZEALAND COASTLINE AND CAN BE REACHED AT NEIL.CALVERT@LINQ.IT.

$26,000 Action 10

System 8

Derived 2 People 8

Info 8

System 8

System 10

Derived 3

Info 10

People 10

System 10

IVI & BVI

Action 18

Derived 1

Info

Source 3 18

$26,000 Action 18

Source 2

Info

System 18

Info

System 18

Source 1 People 18

Info

Capture process 1

System 18

Capture 18

Supplier 2

Org

System 18

Supplier 1

Org

Business Value of Information (BVI)

decimal

Completeness

decimal

Intrinsic Value of Information (IVI)

decimal

Life Cycle

decimal

Relevance

decimal

Scarcity

decimal

Timeliness

decimal

Validity

decimal

INFORMATION GOVERNANCE WORLD

REGULATORY COMPLIANCE PRIVATE EYES

ELECTRONIC PRIVACY AND US LAW

he European Union, with GDPR, now has privacy regulation that is consistent and pervasive and crosses state and national boundaries. The U.S., by contrast, has a piecemeal, loose patchwork of federal and state privacy regulations that at times overlap and conflict with one another. (See Figure 1). In addition, the many different government agencies and private industry groups have created “frameworks” and “guidelines” that do not have any enforcement functions, known collectively as “best practices.” These self-regulating best practice frameworks are increasingly being used by regulators as enforcement tools. The U.S.’ patchwork system has been expanding since at least 1986 with the passage of the Electronic Communications Privacy Act (ECPA), which bridged an existing gap between electronic transfers and computer aided transfers using the Internet. Before the ECPA, U.S. federal law had been developing since 1970 to protect electronic transfers that used traditional telephony. The result is a complicated mess of Congressional acts that contain bits and pieces of relevant law implemented piece-meal as specific actions were deemed to be violations of privacy. This explains in part why lawyers and compliance consultants solicit substantial consultation fees.

Other U.S. Acts that have electronic privacy components include: • The Federal Trade Commission Act • The Financial Services Modernization Act • The Fair Credit Reporting Act • The Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM act of 2003) • Computer Fraud and Abuse Act This hodgepodge system of overlapping laws arguably encourages hacking and necessitates a stronger focus on cybersecurity for organizations trying to secure sensitive and personally identifiable information (PII). Ultimately, this meant someone needed to define elements of electronic information that should be private and protected. Although it has always been assumed that personal records such as credit card numbers and Social Security numbers must be kept private on the Internet, the federal government has been slow to define PII. In 2008, the United States Federal government defined PII in the broadest terms possible: any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual‘s identity, such as name, Social Security number, date and place of birth, mother‘s maiden name,

Figure 1 LAW

BRIEF OVERVIEW RELATING TO INFORMATION SECURITY

WHO IT IMPACTS

FISMA (Federal Information Security Management Act - 2002)

Recognizes information security as a matter on NATIONAL SECURITY

Federal Agencies dealing with information related to National Security

HIPAA (Health insurance Portability and Accountability Act - 1996)

Protects the privacy of patient records

Any company oragency that deals with Health Care

SOX (Sarbanes - Oxley Act - 2002)

Maintain and protect financial records for seven years

US Public Companies, accounting and management firms

GLB (Gramm-Leach-Bliley Act - 1999)

Mandates that companies secure private information of clients and customers

Financial institutions that offer financial products (insurance, loans, investments)

FERPA (Family Educational Rights and Privacy Act - 1974)

Protection of student records

Any Post-Secondary Educational institution

PCI-DSS (Payment card Industry/Data Security Standard - 2004)

Consumer credit card security

Companies involved in handling Credit Card information

SOURCE: ivhttps://www.semshred.com/data-security-compliance-which-laws-are-applicable-to-me/blog_image4/

INFOGOVWORLD.COM

News

U.S.A. VS EU Figure 2 1. Privacy laws change with each administration. 2. Individuals have little ownership of their online data, which allows large businesses can monetize consumer behavior and habits. 3. Privacy laws are often a messy combination of public regulation, private self-regulation, and legislation which varies by state. 4. Enforcement of privacy laws is carried out by several diferent goverment organizations, e.g. federal Communications Commission (FCC) and Health Insurance Portability and Accountability Act (HIPAA). 5. Numerous privacy organizations exist to provide legal framework, which ensure digital privacy to Americans. Ex: American Civil Liberties Union (ALCU) and the Electronic Frontier Foundation (EFF). 6. Companies can keep data indefinitely, depending on their own Terms of Service.

1. Privacy laws have less turnover when administrations change because most EU member states aren’t as polarized as the US. 2. EU laws respect “private and family life” and allow citizens to delete their data. 3. Privacy laws are generally more comprehensive and geared towards consumers. 4. Enforcement of privacy laws is carried out by one authority, equally for all 28 member states. 5. Due to the nature of EU rights, fewer privacy organizations exist but there are: The European Digital Rights (EDRi) and The European Privacy Association (EPA). 6. EU citizens have the “right to be forgotten,” meanng that search results can be removed if they are irrelevant or inadequate.

SOURCE: https://www.wordstream.com/blog/ws/2017/09/28/eu-gdpr

or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information This definition focuses on privacy after the fact, meaning a person must do something in cyberspace before protection of PII becomes an issue. This definition is problematic, in part because it is reactive, but also because the EU and most of the rest of the developed world view electronic privacy as a human right. 3 In the US electronic privacy is “action-focused.” The EU defines electronic privacy as “person-focused.” The EU approaches PII from the “person” perspective, or what actions a person could potentially undergo that would trigger PII protection. This aligns with Article 8 of the European Convention on Human Rights: “everyone has the right to respect for his private and family life.” GDPR Article 4 defines the person first: an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location number, an online identifier or to one or more factors specific to the physical, physiological,

genetic, mental, economic, cultural or social identity of that natural person. Actions an individual takes while in the digital realm, call for a broad definition of PII. Yet from the EU’s perspective PII is a catch-all approach that might give some American business headaches as they think about selling products to EU customers. The scope of person-centered privacy is illustrated in Figure 2. Given the EU’s approach to protecting PII, American businesses will likely have issues understanding the interplay between four specific rights GDPR expressly gives EU’s citizens. These rights are: 1) the Right to access personal data; 2) the Right to be forgotten; 3) the Right to erasure; and, 4) the Right to data portability. American businesses have great challenges ahead as U.S. consumers are awakening to the daily incursions into their privacy. A recent USA Today poll found that Americans are now more concerned about personal privacy than either healthcare or the economy. —By Mark Driskill

GCs FOCUS ON EDISCOVERY RISK During January’s Legalweek, a panel of attorneys from major companies stated that risk and cost issues—critical IG considerations—are paramount in evaluating e-discovery processes. The in-house counsel panelists on the, “Rethinking Your E-Discovery Approach for In-House Counsel,” panel cautioned against attorneys being seduced by fancy technology and instead should focus on risk and the impact of the e-discovery process on the company’s profitability. Brian Corbin, executive director and associate General Counsel at JPMorgan Chase & Co., said a legal department’s needs are influenced by industry segment, company size, industry, litigation profile, regulatory requirements, and other companyspecific variables. Dawson Horn III, AIG VP & Assistant GC, emphasized a focus on metrics to assess a legal department’s e-discovery process. “… one of the factors I point to is the increasing development of legal operations in corporate law departments in driving a more focused approach of what metrics are, how we can see and measure our costs and… how we can see and measure our risks over a course of data.” So there is no cookie-cutter approach that legal departments can apply. Each company is unique and e-discovery needs assessments and cost-benefit analyses must reflect that. Sometimes, highlylitigious companies simply outsource their e-discovery tasks, and sometimes, companies with low litigation profiles but few internal resources outsource those tasks. It is a risk and financial decision that each company must make. Handling e-discovery in-house may seem to be less expensive at first blush, but GC’s should also evaluate the level of risk this introduces. INFORMATION GOVERNANCE WORLD

LEGAL & eDISCOVERY WOMEN IN eDISCOVERY JESSICA R. GROSS | DATA PRIVACY & SECURITY ATTORNEY & LAUREN E. DOUCETTE, RCA | PRACTICE TECHNOLOGY & EDISCOVERY PROJECT MANAGER

omen have been making notable strides in professions that have been traditionally dominated by men—the technical legal field being no exception. This article features a national organization, Women in eDiscovery, as an example of some of the amazing things women have been able bring to the profession that help this generation of eDiscovery practitioners and the next to thrive. Women in eDiscovery (“WiE”) is a nonprofit community organization founded in 2007. Margaret L. Gavinag, Lana Schell, Shawnna Hoffman, and others saw a need to provide women with legal technology education, as well was networking and leadership opportunities. The goal was to give women practicing eDiscovery the kind of support they needed to be successful, whether they are working as lawyers, in litigation support, or on the eDiscovery service provider side. Soon after its creation, other inspired women began starting local WiE Chapters around the nation. Flash-forward 11 years and WiE’s goal is being met and exceeded every day. Today, there are more than 60 local chapters throughout the United States holding monthly and quarterly meetings for members, social mixers, community outreach opportunities, and charitable events. In October 2018, the San Diego, Orange County, and Los Angeles Chapters collaborated to host the first-ever Southern California Regional Tech Conference. And in 2019, WiE will put on its inaugural National Conference in Austin, Texas, from May 8th-10th. WiE has been integral to the advancement of many women in technical legal careers, with members going on to become partners at law firms, heads of eDiscovery and

litigation support departments, and even owners of technology vendor companies. For example, founder Shawnna Hoffman currently serves as Global Co-Leader of the IBM Cognitive Legal Practice. She is also an Automotive, Aerospace & Defense Client Partner and was certified as an IBM Thought Leader in 2015. Justine Phillips, former president of the San Diego Chapter, was recently named Partner at Sheppard Mullin Richter & Hampton, LLP in 2018. Former Meetings Director Ruth Hauswirth serves as Director of eDiscovery and Litigation at Cooley LLP. Indeed, the success stories among WiE leaders and members abound, proving that women have what it takes to advance the practice of eDiscovery and make a meaningful impact within their organizations and firms. But the women of WiE do not work alone. As a nonprofit, WiE draws on the support of both men and women in the community and from sponsors who believe in the importance of providing educational and leadership opportunities to women. As the famous African proverb goes, “It takes a village.” In other words, an individual’s upbringing is a communal effort, and one of the reasons the women of WiE have been so successful is because of the support the organization provides its members. Through efforts to raise women’s current status in eDiscovery careers and charitable contributions to provide greater access to school-age girls, WiE is making important strides to ensure women thrive among their male counterparts for years to come. Learn more at www.WomenIneDiscovery.org or contact LDoucette@sheppardmullin.com or JRgross@sheppardmullin.com

https://www.americanbar.org/content/dam/aba/administrative/women/a-current-glance-at-women-in-the-law-jan-2018.pdf

WOMEN IN PRIVATE PRACTICE 50% 45%

45%

35%

48.7%

30% 25% 20%

22.7%

15%

25% 19%

Women

10% 5% 0% Partners

INFOGOVWORLD.COM

Equity Partners

200 Largest Law Firm Managing Partners

Associates

Summer Associates

News

GLOBAL GROWTH

Global eDiscovery Market to Grow 11% During 2019-2024

TOP LEFT: Panelists at the Southern California Conference 2018 (from right to left) Tyler Crabtree, John Ellis, Candice Iha,; TOP RIGHT: WiE’s 2018 Board of the San Diego Chapter (from left to right) Jessica Gross, Erin Tomine, Trish Zaheer, Emily Roman, Lauren Doucette; CENTER: Members and Chapter Board Leaders from San Diego, Los Angeles, Silicon Valley, and San Francisco at the Napa Valley Wine Tour; BOTTOM LEFT: Leaders of Girls in Tech and WiE’s Charity Committee at the 2018 Charity and Silent Auction Event; BOTTOM RIGHT: 2018 President of WiE’s San Diego Chapter Lauren Doucette

According to the “Global eDiscovery Market Report 2019,” the eDiscovery market size will be $14.5 billion in 2019, and will grow to $27.2 billon million by 2024, with a CAGR of 11%. The Global eDiscovery report depicts the competitive market scenario based on production volume, sales, and revenue. The eDiscovery report essentially includes the supply chain analysis of top players, which include: Lighthouse eDiscovery, EMC, Thomson Reuters, Xerox Legal Business Services, Veritas, Navigant, UnitedLex, HPE, Exterro, Symantec Corporation, Epiq Systems, iCONECT Development, Ricoh, Consilio, KPMG, PwC, Deloitte, Accessdata, Kroll Ontrack, DTI, Guidance Software, Integreon, IBM, Zylab, FRONTEO, LDiscovery, Recommind, Kcura Corporation, FTI Technology and Advanced Discovery. The report analyzes the market share of each major global region and eDiscovery market players. Request a sample copy of the report at https://market. biz/report/global-ediscoverymarket-gir/24402/ INFORMATION GOVERNANCE WORLD

LEGAL & eDISCOVERY

GROWING UP LEGAL INTERVIEW WITH EDISCOVERY AND LITIGATION EXPERT RON HEDGES

he Honorable Ronald Hedges is a former U.S. federal judge, and member of the Litigation and Dispute Resolution practice group at Denton’s, the world’s largest law firm. He has extensive experience in e-discovery and in the management of complex litigation and has served as a special master, arbitrator and mediator. He also consults on management and discovery of electronically stored information (“ESI”). Where did you grow up? Go to school? I grew up in Hackensack, New Jersey, where, it turns out, I now live in the family home built in the 1920s (more or less). My undergraduate education was at the University of Maryland in College Park. I then attended Georgetown University Law Center. When did you first develop an interest in the law? What attracted you? My aunt was a legal secretary. She worked for various judges in the Bergen County Courthouse about one mile from where I grew up. I was very close to her and my “growing up” included a lot of time in that courthouse. So, I was in the company of judges and attorneys from an early age. That got me started “in” the law. Plus, I took some hard science courses in high school. That experience convinced my “the law” was for me. How and when did you get involved in the e-discovery side of the law business? I went on the federal bench in 1986 as a USMJ sitting in Newark. I saw disputes involving ESI over the years, but I “hit” the e-discovery world when I imposed sanctions on a company for spoliation of ESI. Richard Braman of The Sedona Conference and I connected, I joined Sedona, and the rest is history. That history includes me having written guides for judges published by Sedona and the Federal Judicial Center. I’ve also written a

INFOGOVWORLD.COM

number of ESI-related (and other) articles for other organizations, including the ABA and Bloomberg. What major trends do you see influencing e-discovery now, and over the next 5 years? Major trends? First and foremost, and this goes beyond e-discovery into electronic information as well as ESI, there is and will be continued emphasis on privacy and security. This is being driven by, among other things, legislation such as the GDPR and the California Consumer Privacy Act as well developments in the common law (perhaps most recently a decision out of the Pennsylvania Supreme Court). Then throw in the ethical obligations of competence and confidentiality. We need to grapple with privacy and security as litigators and, more generally, as attorneys. Beyond this, I think that we, as a profession, need to become more familiar with the “use” of ESI in both civil and criminal proceedings. ESI is ubiquitous. It grows exponentially in volume and variety. Certainly, there are a number of attorneys who can handle ESI. However, my experience has been that there are a number of attorneys who cannot. And I expect that, as we are confronted with new sources of ESI, the learning curve will become steeper. You were a federal judge in New Jersey. Why did you decide to get back into advising clients and focusing on e-discovery and IG issues? I sat on the bench in New Jersey for 21 years. Frankly, it just became the time for me to move on to other things. I’ve counselled on ESI and IG issues but, given my background, I’ve been able to counsel beyond those topics and address litigation management. What impact have you seen the EU GDPR legislation making on U.S. clients?

I believe that the biggest impact of GDPR has been to raise the level of awareness of privacy-related concerns among American businesses. Of course, GDPR will impact any business that is subject to GDPR and the question will become, for any such business, whether GDPR compliance become the baseline that affected businesses will build their policies on. However, I also believe that the more immediate concern for American businesses may be the CCPA. Granted, it will not go into effect until 2020—and I expect we will see more amendments to that law—but the CCPR will have nationwide implications. And then, we have the panoply of state laws on data privacy and security, as well as possible federal legislation. Suffice it to say that we are living in interesting times! IG has had a rather slow awakening in the United States. Do you see that changing? What forces or influences are impacting that shift? IG is nothing new, albeit we are beyond what used to be “records management.” In my opinion, IG is “awakening” because of the need to deal with ever-increasing volumes and varieties of electronic information (stored or in transit) that entities, both public and private, process and use on a daily basis. “Governance” is the only way to address this information. Plus, we have regulatory regimes in effect, sectoral in nature in the Nation (think of HIPAA as an example), although that may change to some degree if federal legislation comes to pass, that emphasizes the need for IG. Moreover, the 2015 amendment of Federal Rule of Civil Procedure 37(e), which introduced the idea of “reasonable steps” as a means to impose sanctions, emphasized the need for IG. What is one talent of hobby do you have that might surprise your colleagues in the legal profession? I like to read. What do you like most about New Jersey? What is your favorite lunch spot and why? So many great places; although, I must confess that I’m not a lunch type. I prefer dinners with friends. One of my favorites is Spanish Tavern in Newark. What do you like best about our new magazine? Short and to-the-point articles. Great graphics! RON HEDGES IS A MEMBER OF THE LITIGATION AND DISPUTE RESOLUTION PRACTICE GROUP AT DENTONS THE WORLD’S LARGEST LAW FIRM. HE HAS EXTENSIVE EXPERIENCE IN E-DISCOVERY AND IN THE MANAGEMENT OF COMPLEX LITIGATION AND HAS SERVED AS A SPECIAL MASTER, ARBITRATOR AND MEDIATOR. HE ALSO CONSULTS ON MANAGEMENT AND DISCOVERY OF ELECTRONICALLY STORED INFORMATION (“ESI”). HE CAN BE REACHED AT RONALD.HEDGES@DENTONS.COM

INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT

THE MEMORY COLLECTOR

INTERVIEW WITH PAT FRANKS – DIRECTOR OF THE MARA PROGRAM

r. Pat Franks authored Records and Information Management (2013, 2018) and co-edited the Encyclopedia of Archival Science (2015), Teaching and Learning in Virtual Environments: Archives, Museums, and Libraries (2016), and the International Directory of National Archives (2018). Currently she leads a team exploring Blockchain Technologies through the 3D PDF Consortium, which contributes directly to the ISO Technical Committee on Document file formats, EDMS systems and authenticity of information. InfoGov World caught up with her in her office at San Jose State University. Where did you grow up? Go to school? I was born in Simpson, Pennsylvania. My records and archives perspective and philosophy were formed over a lifetime, from my earliest work experiences during high school as a bookkeeper in a local auto supply store and later participation in the practical business world as co-owner of an office support center to my experiences creating and teaching classes, as well as designing and supervising educational programs to prepare students to enter the fields of archives, records and information management, and information governance. My education reflects my kinship to both education and the business world, as I completed a Bachelor of Science Degree in Business Education, a Master of Social Science with a Business Administration emphasis, and a Doctor of Philosophy in Organization and Management with an e-commerce specialization. How did you become involved in the San Jose’s School of Information MARA program? I had just completed my PhD in Organization and Management online through Capella University, obtained the CRM designation, and resigned from my professorship in New York to enter the world of consulting, when I saw an advertisement for an instructor to teach online for what was then the School of Library and Information Science—now

INFOGOVWORLD.COM

the School of Information. Having benefitted from online education myself while working full time, I recognized the value this type of program would bring to others. The two major qualifications were that the applicant had a relevant Ph.D. and was a Certified Records Manager. I immediately applied for the position that allowed me to teach and to coordinate the soon to be launched Master of Archives and Records Administration degree. This year marks the 10th anniversary of the program that began with 8 students and now has more than 100 actively enrolled students. Could you tell us about The International Directory of National Archives? Between September 2016 and November 2017, a colleague, Dr. Anthony Bernier, 46 students and alumni of the iSchool, and I participated in a research project that resulted in the publication of the first ever International Directory of National Archives. The purpose of the work is to bring together profiles of the national archives (or equivalent institutions) of as many countries as possible. The International Directory of National Archives is more than a compilation of the names of institutions and their contact information. The Directory provides a profile of each of 198 countries based on publicly available information gathered from websites, social media sites, journal articles, and books; assistance provided by current and past heads of archives and members of their staffs; and communications exchanged with scholars who have conducted their own research in some of the archives under review. The reader of the Directory will become aware of both the differences and similarities in the mission and vision, size and scope of operations, external environment, governing laws, and resources allocated to the archival and records management efforts among these countries. The Directory will serve as a benchmark from which to determine the progress, or lack thereof, made by these countries into the future. While the Directory is a worthwhile reference work, the

“

Today’s “memory keepers,” archivists and records keepers, are tasked with not only preserving evidence of events and actions that took place in the past but also capturing, protecting, preserving and making accessible evidence of events and actions taking place today.” data gathered can be viewed through various lenses. Today’s “memory keepers,” archivists and records keepers, are tasked with not only preserving evidence of events and actions that took place in the past but also capturing, protecting, preserving and making accessible evidence of events and actions taking place today. How does the IDNA book relate to RIM? This is a good question. When some think of “archives” they think of cultural heritage and reflections of days past. However, as Dr. Ian Wilson, former Librarian and Archivist of Canada, stated in the forward to this book, “Records document borders and boundaries, the rights of government, individuals and corporate entities within society, military service, land use, community and family history, immigration, and a host of other daily concerns. Just recently, new insights have emerged as ships’ logs and early aerial photographs show environmental change, and genealogy based on the archival record has become a growth hobby and basis for tourism.” What other projects have you been involved with? Which one is the most

memorable? I’ve had the privilege of working with a colleague, Dr. Luciana Duranti of the University of British Columbia, on two projects. The first resulted in the publication in 2015 of the Encyclopedia of Archival Science. The second work is due for release later this year the Encyclopedia of Archival Writers, 1515-2015. Both of these “Encyclopedias” include entries related not only to archives but also topics including records and information management, information governance, digital curation, and digital preservation. However, the publication of which I am most proud is the book, Records and Information, first published in 2013 by the American Library Association. The second edition was released in August of 2018. Both editions have been used in university classrooms as well as recommended by the Institute of Records and Information Managers for those preparing to achieve the Certified Records Analyst and Certified Records Management designations. How has records management changed in the last few decades? Emphasis on information as an asset. According to ISO 15489-1:2016, the International Standard for Records Management, a record is “information

Pat Franks – Director of the MARA, Graduate program & Professor, San Jose State iSchool.

created, received and maintained as evidence and as an asset by an organization or person, in pursuit of legal obligations or in the transaction of business.” Records management had traditionally been concerned with declaring records as “immutable” so that they could provide evidence of actions and transactions, especially when in pursuit of legal obligations. Records managers today are aware of the value of information to the organization to achieve their business goals. Records management programs are increasingly considered the keystone of a strong Information Governance program, INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT and records management concepts are being applied to enable organizations to create and capture records to meet requirements for evidence of business activity as well as to take appropriate action to protect the authenticity, reliability, integrity, and usability of information as business context and requirements for their management change over time. Rapid introduction of Disruptive Technology. Disruptive technology has always presented challenges that records management programs are in place to meet—consider the printing press, the electronic typewriter, and the personal computer—but new technology is now more complex and introduced at a much more rapid pace. Today, we must consider the types of records created through and stored in the cloud, social media, and blockchain technology. We must be aware of the type of data created and exchanged as part of the Internet of Things (IoT) by networked devices, such as self-driving vehicles and home appliances that contain electronics, software, actuators, and connectivity functionality. Those responsible for the organization’s digital assets must continually scan the horizon for emerging and developing technology to understand if and how they will impact the organization’s ability to create, capture, manage, preserve, and delete evidence of and information about business activities and transactions. Increased information volumes and new information types. Increasing information volumes and new information types continue to challenge records managers. As a result of the growth in the volume and variety of data produced, traditional methods of managing records are no longer effective. Advances in technology, such as artificial intelligence and machine learning, are being applied to classifying information for further action. Workflows are employed to automate records management functions, including both the declaration of records and their deletion. 64

INFOGOVWORLD.COM

“

Even a technology giant like Facebook is vulnerable to such attacks ”

Increasingly complex data protection laws. Organizations must comply with increasingly complex data protection laws, such as the EU General Data Protection Regulation (GDPR). In the U.S., the California Consumer Privacy Act of 2018 grants consumers the right to have a business delete their personal information with some exceptions. This means, in spite of the advice by some to “keep everything,” systems must include features that facilitate deletion. Regulations such as these and increased pressure from citizens are forcing business and the government to rethink their data retention policies and accelerate the disposal of non-essential content. What do you view as the biggest threat to data privacy? Malicious actors, both inside and outside the organization are the biggest threat to data privacy. I know that covers a lot of territory, since there are a variety of ways in which they can wreak havoc. As recently as November of 2018, Marriott International announced that the Starwood guest reservation database was breached, up to 500 million guests were involved, and for approximately 327 million of those, the information included some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date, communication preferences, and encrypted payment card numbers. Starwood guests who had a reservation between 2014 and up to September 10, 2018 were impacted. In January of this year, we learned that further analysis of the data revealed the number was far less than originally announced (possibly 380 million rather than 500 million) due to duplicate information. This breach resulted in a decrease in the value of Marriott’s shares on the stock market. Even a technology giant like Facebook is vulnerable to such attacks. We learned in September of 2018 that more than 50 million accounts were compromised in a massive hack due to the exploitation of vulnerability in Facebook’s code. The European

regulatory agency that oversees Facebook said it was investigating Facebook’s response to the hack on two levels: establishing whether it did enough to protect user data and whether it notified regulators of the breach within a 72-hour time period as required under GDPR. If Facebook violated the new law, it could be required to pay a fine of as much as $1.63 billion, or 4% of their annual revenue. What advice can you offer today’s MARA graduates? Professional certifications are highly valued and often listed as required or desired in job announcements. Since 2016, MARA graduates have been granted credit for 5 parts of the 6-part ICRM examination. They should definitely take advantage of this opportunity to apply for part 6 to become Certified Record Managers. In addition, 10 of the required courses they take while in the program are pre-approved to sit for the Certified Archivist exam offered through the Academy of Certified Archivists. They should pursue this credential as soon as possible after graduation. Depending on the electives they select, MARA graduates should also be in a position to pass the examination to become Information Governance Professionals. In addition to obtaining professional certifications, MARA graduates should become active in professional associations, build their professional networks in both the physical and virtual domains, and engage in life-long learning (whether formal education or professional development opportunities). —Mark Driskill DR. FRANKS IS A PROFESSOR AT SJSU’S SCHOOL OF INFORMATION WHERE SHE COORDINATES THE MASTER’S DEGREE IN ARCHIVES AND RECORDS ADMINISTRATION. SHE ALSO SUPERVISES THE VIRTUAL CENTER FOR ARCHIVES AND RECORDS ADMINISTRATION (VCARA) IN SECOND LIFE. FRANKS WAS A MEMBER OF THE INTERPARES TRUST RESEARCH PROJECT (2013-2018) WHERE SHE LED TWO TEAMS: 1) SOCIAL MEDIA AND TRUST IN GOVERNMENT AND 2) RECORDS RETENTION AND DISPOSITION IN A CLOUD ENVIRONMENT. SHE IS CURRENTLY WORKING ON A NEW BOOK TO BE PUBLISHED IN 2019, THE ENCYCLOPEDIA OF ARCHIVAL WRITERS, 1515-2015. SHE MAY BE REACHED AT PATRICIA.FRANKS@SJSU.EDU.

FARM REPORT FINDINGS

n the recent Federal Agency Records Management (FARM) report findings, Alex Sisserson wrote an article called, “The Challenges of Analog Records Management,” which highlighted the findings of the Federal Agency Records Management (FARM) report. The report highlighted several concerns that the United States National Archives and Records Administration (NARA) faces around analog records. Although “96% of agencies said they are aware of the requirement to formally request permission from NARA to retain permanent records beyond their eligibility to transfer them to NARA, there was little or no change in the number of agencies transferring permanent records in any format.” A statistic this high means that agencies either do not feel the formal request requirement is a priority, or they believe there are little to no consequences of not reporting. The other key point in this finding is the “any format” statement. There does not appear to be an all-encompassing approach to address analog or electronic records as it pertains to the 96% of agencies that indicated awareness of NARA’s requirements. The report also indicated, “41

percent of agencies have records that are 30 years or older that are not being stored with NARA, meaning they are being held in offices or facilities.” With nearly half of the agencies impacted by this statistic, there appears to be a “wait and see” mentality among these agencies regarding records that are over 30 years. Perhaps these agencies are waiting on funding for digitization, the records have been digitized and disposition has not occurred, or the records are originals and have yet to hit any actionable record or archival event. Further, it is unknown how many records are stored in government owned or managed facilities and third-party organizations. “Only 22 percent of agencies transferred electronic records to NARA in 2017.” It is encouraging to see that some of the agencies have started transferring records electronically to NARA. If this number increases significantly through 2019, it is a promising indication that agencies will be on track to meet the 2022 deadline. If the number of agencies is not at 75% after 2019, it is unlikely that the remaining agencies will be able to meet the 2022 deadline unless they are provided additional

REFERENCE: Sisserson, Alex. (2019, January 19). “The challenges of analog records management.” GCN. https://gcn.com/articles/2019/01/02/analog-records-management.aspx

resources and directives to be ready for the 2022 requirement. Going digital is a smart decision that ensures records can be shared, secured, and tracked efficiently. However, poor indexing, tracking issues, and inventory control issues could lead to inaccuracies or worse—lost records. Agencies must work with NARA, agency leadership, and outside vendors to ensure the 2022 deadline is attainable, and if not, determine what steps are needed to help agencies meet their digital requirements with NARA by 2022. Sisserson discusses the benefits of working with third parties to help with attaining the digitization goals. But ensuring agency leadership is on board, NARA is empowered, and the digitization initiative has the oversight needed to make sure no records are left behind is essential. —Andrew Ysasi ANDREW YSASI, MS, CRM, FIP, CIPM, CIPP, CISM, PMP, IGP IS THE VICE PRESIDENT, ADVOCACY OF VITAL RECORDS CONTROL AND PRESIDENT OF IG GURU®, A NEWS ORGANIZATION TO ENSURE RELEVANT IG NEWS IS SHARED WITH THE IG COMMUNITY. HE HAS VOLUNTEERED WITH ARMA, THE ICRM, WORKED AS AN ADJUNCT PROFESSOR AND FOUNDED A CAREER CONSULTING PRACTICE – ADMOVIO®. ANDREW HAS SPOKEN ACROSS THE UNITED STATES AND CONTRIBUTED TO ARMA’S INFORMATION GOVERNANCE BODY OF KNOWLEDGE (IGBOK) AND RECORD MANAGEMENT CORE COMPETENCIES 2ND ED. HE MAY BE CONTACTED AT ANDREWYSASI@PROTONMAIL.COM INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT

BUSY INTERSECTION RECORDS MANAGEMENT’S INTERSECTION WITH DATA PRIVACY MANAGEMENT BY TERESA SCHOCH

ith the tsunamic rise in electronic information doubling at regular intervals, 4 complexity in information management has resulted in newly created or redefined roles tasked with creating order out of chaos. Information professionals attempt to control their domains in roles described as content management, knowledge management, eDiscovery, data management, data security, records management, privacy management, and Information Governance. Due to an increased focus on privacy rights in the EU, as well as in individual U.S. states, potential enforcement actions had an alarming impact on all of these roles, often causing intra-organizational conflict as enforced silos inhibit compliance with expanding and complex privacy laws. Other than prohibitively expensive eDiscovery disasters or unexpected regulatory audits leading to fines, in the past, there has been no real accountability in the U.S. as to how an organization maintains, organizes, creates, and/or disposes of its information. However, data breaches of private information, as well as the hacking of business and trade secrets, have become commonplace. 5 Corporations have scrambled to determine the what, where, when, and ownership of information that has been compromised, often racing against the clock to notify law enforcement and impacted individuals in time to avoid financial damages. C-level executives have lost their jobs over their company’s mishandling of breaches. 6 A court allowed a class action by credit card holders against Neiman Marcus,7 and the FTC acted against Wyndham Resorts for failure to protect the data of its customers. 8 The potential for fines imposed by the FTC or state attorney

INFOGOVWORLD.COM

generals based on state data-breach laws, damages in private law suits, or the untimely loss of highly placed executives increases the likely costs of a future breach. In addition, as reflected in the Neiman Marcus case, damage to a company’s reputation due to the scrutiny of its glaringly inadequate Information Governance serves to motivate others to remedy inadequate IG frameworks. 9 Meanwhile, the EU has the right to fine U.S. organizations collecting data on EU residents up to 20 million Euros, or 4% of global sales, for the mishandling of personal data pursuant to the General Data Protection Regulation (the “GDPR”), which became effective on May 25th, 2018. While it has always been my view that records management is the core of information management, since it is the gatekeeper to all information of ongoing value to the organization (a record is defined as information that has business value or meets regulatory or litigation requirements), it is even more obvious in privacy management now that private data being maintained is required to be held for a specified time in a specified manner. Personal data must be capable of easy access and any data maintained on a protected individual must be accurate. In addition, when private data no longer has business value, the risk of maintaining it becomes prohibitive

and it must be deleted in a manner that ensures continued privacy protection. As records managers assess their own domains, they realize that many of the obligations created by new privacy laws can only be met if they understand the new laws’ effects on how the they manage personal data pursuant to laws that impact their organization. I erroneously assumed that privacy managers/attorneys/ directors would expand their roles by learning the RIM world and addressing the changes required by privacy laws, but I repeatedly hear that, instead, they refer the details of maintaining privacy-related records to their records staff. While I applaud the respect shown by their willingness to delegate the legal duties of access, scheduling, deletion, and reliability of personal data, it creates new dynamics and an increased level of responsibility within the RIM framework that might not be thoroughly understood by the organization. Since the GDPR has taken effect, many corporate attorneys have instructed the RIM staff to reassess records retention schedules based on the GDPR. Overworked professionals from all domains have developed plans to meet compliance requirements, often attempting to make the law fit into how they have

always handled their duties in the past. As an example, I have seen the RIM “big bucket” approach utilized to create records retention schedules for global records containing personal data of EU residents in a manner that could lead to fines in the millions. When an EU country requires employment records’ retention of thirty years, while another country requires disposal of the same record types three months after termination of employment, a default to a thirty-year schedule for all EU employment-related data is simply an unsound practice. Likewise, deletion of all EU employment data three months after employment termination would leave an organization open to an inability to meet the legal obligations of other jurisdictions, and to the inability to defend the organization in the event of litigation. In this instance, each country needs to be addressed individually. If there is a legitimate basis for maintaining personal data (e.g., potential litigation relating to employment), the data can be maintained under GDPR solely for that purpose, even if there is a

privacy-related requirement of a shorter retention period for that specific data. In these “conflict of laws” situations, the data maintained for the interim retention period based on legitimate business interests requires heightened security as well as restricted access. Retention schedules relating to records containing personal data have their own rules, often involving a conflict of laws, that require a new data-scheduling framework within the RIM environment. In the RIM domain, managing data that contains personal data is an example where less is more. With less information, it is easier and faster to retrieve relevant information (in this case, personal data), costs less to maintain, and limits liability to those whose information is deleted as soon as it no longer has business value. Until recently, the decision to “keep it all” was based on an assessment of return on investment that considered the risks worth taking compared to the cost of ensuring compliance through the creation of a long-term Information Governance (IG) roadmap. The lack of calculated routine disposition

was defended as a strategic decision to maintain data for marketing or business planning using increasingly sophisticated analytical software. However, attempting to meet GDPR requirements while maintaining large data pools or warehouses of information that have not been identified, much less classified (the unknown unknown), creates an extremely difficult environment for compliance. For companies that do business with European residents, enforcing defensible disposition has become a critical mission. While scheduling records disposition has become more complex under GDPR, meeting a defensibility standard relating to disposition has become easier. TERESA SCHOCH IS A PRIVACY ATTORNEY AT AXIOM. SHE HAS A DIVERSE BACKGROUND IN LAW, PRIVACY, SECURITY, ELECTRONIC RECORDS MANAGEMENT, INFORMATION MANAGEMENT, CONTENT MANAGEMENT, CORPORATE RISK MANAGEMENT, REGULATORY COMPLIANCE, SEARCH METHODOLOGY, STRATEGIC PLANNING, ETHICS, CHANGE MANAGEMENT AND INFORMATION RISK MANAGEMENT. SHE MAY BE REACHED AT TARANORE@YAHOO.COM.

INFORMATION GOVERNANCE WORLD

DATA GOVERNANCE

9 STEPS TO GOVERNING DATA EFFECTIVELY Nine key steps you can take to govern data effectively are: 1. Recruit a strong executive sponsor. As in broader IG efforts, data governance (DG) requires cross-functional collaboration with a variety of stakeholders. To drive and facilitate this sometimes contentious conversation, a strong executive sponsor is required. This is not an easy task since executives generally do not want to deal with minutia at the data level. You must focus on the realizable business benefits of improved DG (i.e., specific applications that can assist in customer retention, revenue generation, and cost cutting). 2. Assess your current state. Survey the organization to see where the data repositories or silos of data are, what problems related to data exist, and where some opportunities to improve lie. Document where your DG program stands today and then map out your road to improvement in fundamental steps. 3. Set the ideal state vision and strategy. Create a realistic vision of where your organization wants to go in its data governance efforts, and clearly articulate the business benefits of getting there. Articulate a measureable impact. Track your progress with metrics and milestones. 4. Compute the value of your data. Try to put some hard numbers to it. Calculate some internal numbers on how much value data—good data—can add to specific business units. Apply some of the formulas for calculating the value of information presented in Doug Laney’s groundbreaking 68

INFOGOVWORLD.COM

NOTE: Excerpt from Robert Smallwood’s new book Information Governance (Wiley, 2019). Used with permission

Infonomics book. Data is unlike other assets that you can see or touch (cash, buildings, equipment, etc.), and it changes daily, but it has real value. 5. Assess risks. What is the likelihood and potential cost of a data breach? A major breach? Are ransomware attacks on the rise in your industry? What factors come into play, and how might you combat these potential threats? Perform a risk assessment to rank and prioritize threats and assign probabilities to those threats so you may develop appropriate countermeasures. 6. Implement a going-forward strategy. It is a significantly greater task to try to improve DG across the enterprise for existing data, versus focusing on smaller business units, one at a time.10 Remember, you may be trying to fix years if not decades of bad behavior, mismanagement, and lack of governance. Taking an “incremental approach with an eye to the future” provides for a clean starting point and can substantially reduce the pain required to implement. A strategy where new data governance policies for handling data are implemented beginning on a certain future date is a proven best practice. 7. Assign accountability for data quality to business units, not IT. Typically, IT has had responsibility for data quality, yet the data generation is mostly not under that department’s control, since largely data is created out in the business units. A pointed effort must be made to push responsibility and ownership for data to data stewards in the business units that create and use the data.

8. Manage the change. Educate, educate, educate. People must be trained to understand why the DG program is being implemented and how it will benefit the business. The new policies represent a cultural change, and supportive program messages and training are required to make the shift. 9. Monitor your data governance program. See where shortfalls might be, and continue to fine-tune the program. From a risk management perspective, DG is a critical activity that supports decision makers and can mean the difference between retaining a customer and losing one, or even saving lives in healthcare settings. Protecting your data is protecting the lifeblood of your business, and improving the quality of the data will improve decision making, foster compliance efforts, and yield competitive advantages. —Robert Smallwood

MASS DATA GOVERNANCE IS MAJOR TOPIC AT WORLD ECONOMIC FORUM

t the recent World Economic Forum held at the Davos resort in Switzerland, global data governance (DG) and tech sector regulation were major topics. The strongest call for tech regulation came from Japanese Prime Minister Shinzo Abe, setting the stage for DG to be a central theme of the upcoming G20 summit, to be held in Osaka this June. Abe proposed expanding World Trade Organization rules to cover trade conducted by means of digital data. The VP of China echoed Abe’s call for data oversight and international standards. The U.S. did not attend the World Economic Forum, but should be represented at the upcoming G20 summit. Japan is looking to take the lead on the development of international data handling agreements at the G20 in Osaka. Abe emphasized that his proposal for free trans-border (international) data flow applied only to business data needed for business transactions and growth. The handling of PII will be addressed at this summer’s G20 summit.

COLLABORATION IS KEY TO DG BY MERRILL ALBERT

key element of data governance (DG) is collaboration. DG is not something that someone does alone, and it’s not a group of people you ask to fix data after you’ve made a mess of it. I talk about DG as being a lifestyle. When you embed DG into your daily tasks, what you’re doing is creating that mindset you need to value the data you’re using. Think of it like cleaning out your closet. If you’re always keeping it clean and orderly, you won’t have that massive task of trying to clean it later when you really need something or you try to move. Valuing what you do with data, treating it well, and thinking of how it’s going to be needed in the future build that mentality about data that organizations need. People—stakeholders—throughout the company need to be engaged. Look at how your company is structured and make sure that you have representation throughout the company. And don’t forget the lawyers. While you might not talk to them a lot, they have insights others might not normally think about. They, and your record management team, might share issues around how long data needs to be retained, but also when it should be destroyed. Attorneys want the company to have the data it needs for legal actions, but also want to destroy the data once it has passed the necessary retention period. Also think about privacy. There are plenty of data privacy issues in the news these days, but make sure you truly understand what you need to do. Many companies have employees devoted solely to privacy, such as CPOs, and they can be a good resource for your DG initiative too. MERRILL ALBERT IS A LIFELONG DATA PERSON SPANNING THE FULL SPECTRUM OF THE DATA MANAGEMENT LANDSCAPE THROUGH BOTH INDUSTRY AND CONSULTING ROLES. SHE BELIEVES IN UNDERSTANDING THE BUSINESS NEEDS OF THE DATA. WITH A FOCUS ON DATA GOVERNANCE, SHE IS PASSIONATE ABOUT GETTING THE RIGHT DATA IN THE RIGHT HANDS TO USE COMPLIANTLY AT AN ENTERPRISE LEVEL.. SHE CAN BE REACHED AT MERRILLALBERT@HOTMAIL.COM

INFORMATION GOVERNANCE WORLD

CONTENT SERVICES CONTENT MANAGEMENT’S NEW WORLD ORDER BY JAMES C. JUST

uch has been written about the death of enterprise content management (ECM) and the rise of Content Services. Gartner has proclaimed “ECM is dead. Long live CS!” It is true that the Cloud has shifted content management in ways that were not predictable, offering a plethora of new services—Enterprise File Share and Synch (EFSS) services like Box and DropBox, Office 365, OneDrive for Business, Google Drive, content collaboration platforms (CCP), and others. Also, Enterprise Resource Planning (ERP) solutions continue to expand their content management capabilities by incorporating content control into their processes. In the end, it is not the platform that is critical, but managing the lifecycle of content. The move to EFSS solutions has been driven by IT cost reduction and user need for simple collaboration—especially with external partners—a good first step away from clunky, disjointed, collaboration-by-email. Unfortunately, the move to the Cloud has generally followed the same disorganized storage pattern as network fileshares. Cloud users created folders and named files haphazardly rather than within the organized context of an established taxonomy. Or, IT simply moved the existing file shares to the cloud en masse. The result? Same mess; different platform. Moving existing file-shares to the Cloud may improve content findability and lower costs. However, this does NOTHING to resolve lifecycle control—required to execute information governance (IG). To do so first requires the challenging task of classifying content. Classifying content in a manner that allows for lifecycle governance requires an enterprise classification or taxonomy, or a formal structure tied to retention rules under which users have flexibility to build their own filing taxonomy. Many consultants follow ISO 15489 (Information and documentation -- Records management) for Functional Classifications; however, ANY standard taxonomy is better than nothing at all. Using a classification scheme, content can be classified

INFOGOVWORLD.COM

and then managed per records management requirements (i.e., retention or destruction). The remaining valuable content (about 20 - 40% of the original) can be migrated to a new, better, and more organized location. Shared drives (on premise or EFSS) folder structures are built replicating the new functional classification. IG teams then have the structure needed to delete content when it meets destruction rules. Conversely, classified content can be easily migrated to an ECM system, which has comprehensive lifecycle management controls. Content Analytics software solutions: 1. identify possible classification terms; 2. semi-automate content remediation; 3. tag content with identifiers that help with organization and find-ability; 4. identify duplicate content that may, after careful consideration, be deleted; 5. locate and tag files with personally identifiable information (PII) to enable privacy compliance; 6. and migrate content to one or more locations where it will be controlled through its lifecycle. Most of these classification or categorization systems employ some form of artificial intelligence (AI) to autoclassify content. And these solutions audit all actions taken on content, which provides defensible deletion of data.

Active Navigation, Concept Searching, IBM, NetGovern, Nuix, Haystac, ShinyDocs, and ZL Tech are just a few of the content analytics vendors in the market. Like any solution, requirements drive the choice of tool to use. NEW CONTENT MANAGEMENT SOLUTIONS EMERGE A relatively new breed of content management solution is “manage-in-place” solutions. In the last few years, OneDrive, Box, DropBox, and others have added retention management rules to their platforms, allowing for content on those platforms to be “managed in-place.” AODocs offers ECM capabilities to Google Drive. A product currently in development will add “ECMlite” capabilities onto shared drives. Some content analytics solutions classify content and insert metatags, allowing for content to be “managed inplace.” These solutions unlock the potential of unstructured information and will be a boon to IG professionals responsible for the application of IG policy to content—but only if content is first classified. Regardless of the content management platform, organizations need IG policies, procedures, strategies, and metrics to control and manage all content through its lifecycle. The more content management platforms in use in the enterprise, the more complicated, time consuming, and expensive it will be to apply IG controls consistently across all platforms. Locking down platform choices and banning the use of all other platforms (unless justified to the IG team and approved) is both necessary and practical. Any solution deployed must be able to accommodate IG policy and have workable capabilities to manage the content lifecycle.

Unclassified content cannot be controlled, so the first step to gain control of content will always be to classify it so policy can be applied and the proper action taken today and in the future. Simply turning users loose with instructions to “delete anything you don’t need” will breach IG policy and will not be legally defensible, leaving no audit trail of what was deleted—the antithesis of defensible deletion. As both the number and size of files grow logarithmically, gaining control of unstructured, unclassified content should be a priority in every organization. In our experience, and in discussions with organizations that have completed content remediation efforts, a 50% to 80% reduction in content can be expected by identifying and purging e-trash, ROT, and stale data. The benefits of clean content go far beyond IT cost savings (although not trivial) to include saving users time finding information needed to complete work, improving compliance capabilities and legal posture, reducing duplicates and identifying the trusted version, and enhancing the findability and share-ability of content. Every year the problem gets worse. Get started; no time like today! MR. JUST HAS TWENTY YEARS’ EXPERIENCE IN INFORMATION GOVERNANCE INCLUDING CONTENT MANAGEMENT TECHNOLOGIES, WORKFLOW/BPM, BUSINESS PROCESS REDESIGN, CONTENT ANALYTICS, AND POLICY. MR. JUST FOCUSES ON DRIVING THE VALUE OF ENTERPRISE DATA, LEVERAGING LEADING EDGE TECHNOLOGIES, RETIRING RISK AND IMPROVING WORK PROCESSES. MR. JUST HAS WORKED WITH A BROAD SPECTRUM OF ORGANIZATIONS ACROSS GOVERNMENT AND COMMERCIAL SECTORS. HE MAY BE REACHED AT JAMES.JUST@IMERGECONSULT.COM

WHAT’S A BYOD TO DO?

he prevalence of Content Services and Enterprise File Sync and Share (EFSS) has brought to the fore the issue of document authenticity and integrity. This is because applications such as Google Drive and Box make it possible for a mobile phone user to manipulate that document in a platform that is less secure and then save it back to the more secure cloud system. From a records management and IG perspective, this represents a weakness in the chain of custody. As if that is not bad enough, “Sync operations can vary depending on the network users work on.” Wi-Fi hotspots are everywhere. This is only the beginning of the potential security risks as the number of those who use personal devices at work increases. It was a decade ago that Intel first introduced the acronym BYOD (Bring Your Own Device) to categorize the growing number of employees who used their personal devices for business. Most of the buzz surrounded the security of these devices; the danger being users do tend to lose them. Proprietary and otherwise confidential internal documents are the stuff of corporate espionage. Given the impact BYOD had on the enterprise (i.e., a nearly unmanageable state of cyber-protection), IT departments scrambled to either ensure personal devices were secure within the enterprise or banned entirely from the office. Crucially, BYOD is attractive because it gives employees the ability to work anywhere there is an Internet connection. This, combined with the prevalence of cloud computing, presents to the enterprise a new problem with old security issues. The security of data stored on a secure cloud system is only as good as the security on the device used to open that document. While IT professionals, compliance officers, and others understood that Enterprise Content Management (ECM) had the scope to manage BYOD, the primary concern was the authenticity of documents stored on a cloud system as users shared and collaborated on projects. —Mark Driskill REFERENCE Gold, Jack E. (2019, January). “Does enterprise file sync and share work on mobile devices?” TechTarget. https:// searchmobilecomputing.techtarget.com/answer/Does-enterprisefile-sync-and-share-work-on-mobile-devices

INFORMATION GOVERNANCE WORLD

CONTENT SERVICES

THE CASE FOR AN ENTERPRISE OBJECT-ORIENTED INFORMATION TAXONOMY BY EUGENE STAKHOV

nformation and “digital disruption” have changed the way business is done. But how that information is organized is key to being able to find critical information in a timely manner. Taxonomies are the backbone of digital information management. But implementing a taxonomy properly take time, hard work, and patience. The reality is that information management is no longer just about insulated concepts like Enterprise Content Management (ECM) or Knowledge Management (KM) systems. It’s multi-dimensional. It’s about business intelligence and analytics. It’s about using information for insights and engagement, but also to protect as an asset, to manage as a risk. These attributes provide the framework for all of IG, and enterprise taxonomy lays the groundwork for all of it. The explosion of data often leads to fragmentation and data silos. For example, one line of business may refer to an account number while another refers to a social security number, and yet a third refers to a tax ID number. Different systems with different data characteristics. The result is confusion around search/retrieval, reporting, and lifecycle governance. Business intelligence opportunities are squandered, and discovery costs and effort are greatly complicated. So how does “taxonomy” help the situation? And what even is an “objectoriented taxonomy” anyway? AN OBJECT ORITENTED TAXONOMY Wikipedia’s “Corporate taxonomy” page defines it as: “The hierarchical classification of entities of interest of an enterprise, organization or administration, used to classify documents, digital assets and other information.” I’m going to use another metaphor to

INFOGOVWORLD.COM

describe the working concept. The first time many of us heard the word was back in high school, in a biological context: Kingdom, Phylum, Genus, Species, etc. Two of the key concepts behind this categorization are the inheritance and specialization of characteristics. Now, conceptually there‘s very little difference between the biological taxonomy and its object-oriented counterpart. Characteristics are inherited from the top parent levels, down to the children. Rather than inheriting limbs and backbones, we’re inheriting metadata, inheriting syntax, and context, and perhaps even retention requirements. At each subsequent level that you define, you get a chance to specialize—to define some new characteristics that the parent didn’t have, but the child does. While this example may sound simplistic, in a complex data ecosystem, understanding these types of relationships can yield deep and meaningful insight into an organization‘s data. This type of insight may show relationships between traditionally siloed data that even its owners may not have seen. Best of all, the core principles behind this type of architecture design pattern can be used to model unstructured, semi-structured and fully structured data sets. When we look at data in this way, we’re not creating anything new. We’re borrowing from a style of programming that’s pretty much ubiquitous these days, called object-oriented programming (OOP). At a high level, OOP is a way of managing clusters of code or content as objects. You create a blueprint for that “thing.” And then you create instances out of that blueprint. You can also expose or abstract parts of the object, depending on what your requirements are. Programmers today do this kind of stuff all the time; they model objects out

of anything that you can give a noun too. And objects come from classes. Classes contain properties – characteristics that describe the class (i.e., metadata). Think of a stencil or a cookie cutter. The shape of the stencil determines the shape of the letter. In our world, a document class defines the type of document we will deal with; a folder class determines the type of folder, etc. This method of modeling data structures has been around for many years, but it gained traction in the 1990’s. Steve Jobs referred to it as a “brilliant, original idea” that he credited with helping him build software ten times faster, and better, at his venture NeXT (which would eventually become part of Apple in his return to that company). I submit to you the idea that similar outcomes can be realized by adopting an objectoriented approach to enterprise information governance. INSURANCE CASE STUDY Let’s take a closer look at the guts of this architectural approach by imagining a high-level sample taxonomy for an insurance company: Figure 1 - Sample Insurance Organization Taxonomy At the top of the diagram, the outof-box Document class contains several fundamental properties that are generic. They are the taxonomy designer’s starting framework. The next level down is the first level of specialization: the Enterprise Document class. Its key properties are bound by the organization and make sense within the context of the organization. Every single document, every single record within the company will have at least these properties because they will be inherited

Figure 1 INSURANCE COMPANY DOCUMENT TAXONOMY HIERARCHY Key Properties:

Key Properties:

Enterprise class inherits Document property definitions

Core Functional document classes inherit Enterprise doc properties Further specialization by document class of document type

Document Title Date Created Created By Version

Document

Default ECM system document class

Active System of Record Document Type Document Date

Enterprise Document

Services

Products

Operations

Insurance

Finance

downwards to every subclass of that base Enterprise Document class. The third level is where you start to get creative. How do you determine that next “species” of the document? What do you use to tell the difference? It can get interesting because there are several potential choices here. Among the typical candidates are: • Content-Centric Design: Document classes reflect their intrinsic content type. The classes are modeled around the meaning behind the underlying content. This marginalizes the relevance of organizational unit or function in the definition of the document, so if inheritance of security characteristics is important to the overall design, this is probably not the best choice • Organizational Design: Document classes are modeled around the organization of the enterprise. In this design style, named LOB classes are used as parent containers of the document classes they use. The subsequent layers of the hierarchy then follow the organization down into smaller and smaller groupings. In this style, content is seen as a direct function of its parent LOB. This is a simple, security-driven model that makes it easy to map security between LOB users and their documents. However, a typical drawback with this design is that it’s too rigid, particularly for organizations that experience a lot of restructuring or mergers/acquisitions • Functional Design: Document classes are modeled around the higher-level abstractions of the functions that an

Claims

Group

Function-specific property definitions

Individual

organization carries out. This may be different than an organizational design paradigm in that this approach captures many of the functional aspects of the corporation. These may mirror the organizational structure, but in a more abstract perspective by focusing on the function or processes for which the content is used. This is the design style used in the insurance company example referenced above

specific esoteric nuances. The enterprise-level brings it all together, and is at its best when the taxonomy is lean and flexible. Also bear in mind that not all metadata is equal. After you’ve done your due diligence in figuring out property placement, your LOB stakeholders may come back and tell you that they need additional properties, once they realize what metadata actually is. Once you have the metadata, it is time to make some decisions. Is this “required” metadata used for: 1. Search/Retrieval? 2. Lifecycle? 3. Reporting? 4. Process/Workflow? Once you get the blueprint going, it should not be difficult to implement. If it is, you’ve probably done something wrong or the business has changed.

• Document characteristics (volume, format, input) • Organizational structure • Process • Security • Retention • Reporting

FUTURE OF TAXONOMIES There is an interesting phenomenon being discussed in certain circles, with the advent of a new type of technologically enabled professional dubbed the citizen developer. These are people who can use various technology tools that were once only part of the IT department’s arsenal, to build business solutions. An enterprise object-oriented data design blueprint is the enabler of this type of paradigm. Whether it’s getting information into an APIready state, or just enabling a common language—remember that stuff about the words we use—this technical data modeling is the path that allows positive momentum. Overall, organizations that adopt and manage a taxonomy should operate more efficiently, have a lower risk profile, and be set up to have a successful IG program.

You will probably find that the further down you get to answer as much as you can about these six interrelated dimensions, the closer you will be to understanding the full picture. Your goal is to get the narrative of what drives the organization’s data. Remember, taxonomy development (whether intentional or not) has largely been a siloed activity, with department-

EUGENE STAKHOV, CRM, CDIA+ IS A SENIOR ECM/IG SOLUTION ARCHITECT AT ENCHOICE, INC. GENE HAS PROVIDED CUSTOMERS WITH EXPERT GUIDANCE RANGING FROM ENTERPRISE TAXONOMY DEVELOPMENT TO TECHNICAL SYSTEM IMPLEMENTATION SOLUTIONS. HIS WORK INCLUDES IMPLEMENTING A HIGHLY VISIBLE REGULATORY COMPLIANCE INITIATIVE WHICH WON THE IBM INNOVATION IN TECHNOLOGY AWARD. GENE IS ALSO A LONG-TIME LEADER OF THE ARMA METROPOLITAN NYC CHAPTER, AND CURRENT PRESIDENT. HE MAY BE REACHED AT GSTAKHOV@ENCHOICE.COM

THE NUTS AND BOLTS: GETTING STARTED So where do you begin? Well, typically you begin with the front-line stakeholders, the end-users. The idea is to start with one LOB and get them involved right away. Holding a onsite requirements workshops is a good way to generate a checklist and synthesize an understanding of the following:

INFORMATION GOVERNANCE WORLD

ARCHIVING & LONG-TERM DIGITAL PRESERVATION

WHY ARCHIVE ELECTRONIC CONTENT?

BY MICHAEL OSTERMAN

lectronic archiving is a long-standing practice, particularly in heavily regulated industries like financial services and healthcare in which regulators have required industry participants retain business records for long periods. However, long-term data retention is a requirement across a wide range of industries – the U.S. Government, for example, has imposed data retention requirements across just about every industry for many different types of records. THE TRADITIONAL DRIVERS FOR ARCHIVING The primary, traditional reasons for archiving electronic content are driven by a number of considerations: Legal obligations: Just about every organization is subject to a variety of legal and contractual requirements. As a result, they need to retain various types of electronic content in the event this content is needed in the future to support their role as a defendant, plaintiff, or third-party participant in legal proceedings. Regulatory compliance: Many electronic records that relate to an organization’s business activities are subject to a variety of regulatory compliance obligations. Privacy regulations: There is a growing number of privacy regulations being initiated around the world. Although the European Union’s General Data Protection Regulation (GDPR) is the most prominent of these regulations, there are regulations either implemented or soon to be implemented in California, Colorado, Brazil, Australia, Japan, and many other countries. Storage management: An archiving solution can improve

INFOGOVWORLD.COM

system performance by minimizing the amount of “live” data that must be stored on active servers. End-user self-service: An employee may need to locate older emails quickly so that he or she can review their own email correspondence or other content such as attachments. KNOWLEDGE MANAGEMENT AND RETENTION OF CORPORATE HISTORY Email and other electronic content are typically one of an organization’s most important sources of corporate knowledge and this content should be retained for long periods. SHOULD YOU BE PROACTIVE? The “defensive” reasons for archiving electronic content are well-established and fairly straightforward. But how about the “offensive,” or proactive, reasons to retain this content? WHAT ARE SOME OF THE USE CASES? There are several use cases for an archiving solution in combination with a powerful analytics capability. Here are just a few examples: Customer and prospect management The content and timing of every customers’ or prospects’ inquiry, complaint, request for more information, etc. can be tracked. Data on each response can also be tracked, including how long the response took, who provided the response, the tone of the response, whether or not the customer responded, etc. This archived data can provide significantly more information than might be available in some CRM systems, since the

archiving solution automatically tracks all of this data. This data can then be used to determine correlations between the length of time it takes to respond to a prospect’s inquiry and the likelihood of making a sale, or if there is a relationship between customer renewal rates and how quickly their complaints are addressed. This information will help decision-makers understand how to modify the customer management or prospecting process. Finding likely insider threats The tone and content of manager communications to their employees can be monitored for problematic behavior. For example, employees who are berated by their managers are more likely to steal data or finances, and so examining archived data can help senior decision makers to find and deal with problem managers before an insider threat can occur. Reduced use of profanity can be an indicator of wrongdoing IBM has developed an analytics capability for monitoring traders for potential signs of wrongdoing. In the United States, IBM has found that traders who reduce their use of profanity may be up to no good 1. Interestingly, just the opposite is true in the United Kingdom – traders who increase their use of profanity may be indicating that they are involved in malicious activity. Detecting policy violations The use of personal webmail to conduct company business can be tracked either directly or indirectly by searching through archived content to identify violations of corporate policies against use of personal resources to conduct company business. Conducting investigations Conducting investigations is a key capability for a robust archiving solution. However, a difficult challenge is getting a clear understanding of what took place and when it occurred. Too often, people do not have a clear recollection of what took place or what might have been said. Fortunately, email, text messages, instant messages

and other content provide clear evidence of what was said (assuming that chain-of-custody was preserved). Understanding employee sentiment and behavior A robust archiving solution with good analytics can identify problems so that violations of corporate policy, the law, or best practice can be addressed before they result in a more serious problem. For example, a company’s compliance staff could search for evidence of sexual harassment, illegal downloads, distribution of offensive content, or any of several other activities that might result in a lawsuit, regulatory action, scandal or some other issue. It’s important to note that a robust archiving-plus-analytics capability does not need to include every communication type used in an organization, since the vast majority of communications in most organizations occurs in email. However, adding additional content types like social media posts, can enable additional insights and corporate intelligence to be extracted from the archive. MANY SOLUTIONS WERE NOT DESIGNED FOR THE NEXT GENERATION OF ARCHIVING Early-generation email archiving solutions were designed with a focus on managing mailbox size. In the early days of email, mailbox size was limited to only tens or hundreds of megabytes. These solutions were designed to remove email and attachments that were consuming a significant amount of storage and replace them with a small “pointer” or “stub” to the archive. This feature allowed users to keep months’ worth of email in their inbox without exceeding the mailbox size limit. Today, more modern email solutions, like Office 365 support multi-gigabyte mailboxes, capable of holding orders of magnitude more data than older solutions. Consequently, mailbox size management is much less of a driver for email archiving than it used to be and we see its importance in the context of archiving continuing to decline. That doesn’t mean that users no longer need archiving for

REFERENCE: 1. https://www.ibtimes.com/wells-fargo-scandal-banks-tap-watson-monitoremployee-activity-2586425

mailbox management, because some users continue to run into mailbox size limits – this is especially true for users who employ email as their primary file-sharing solution instead of using file-sharing technologies like Microsoft OneDrive or Box. Many organizations use journaling to retain electronic content. Journaling retains a copy of all email that sent and received for each mailbox. It is the responsibility of the archiving solution to protect the journal email copy. While in Office 365 environments, for example, an Exchange Online mailbox cannot be designated as a journaling mailbox; for organizations that run an Exchange hybrid deployment with mailboxes split between on-premises servers and Office 365, administrators can designate an on-premises mailbox as the journaling mailbox for Exchange Online and on-premises mailboxes. SOME RECOMMENDATIONS Any set of recommendations for moving forward with a next-generation archiving approach will be dependent upon a number of factors, but Osterman Research offers the following, high-level recommendations for consideration: 1. Deploy an archiving solution 2. Decide how information should be retained 3. Focus on extracting insight and intelligence from corporate data 4. Sell the use cases SUMMARY Archiving – the practice of retaining all relevant business records for the appropriate length of time for legal, regulatory and compliance purposes – is a legal requirement for all organization. However, combining a robust archiving solution with an analytics capability is increasingly becoming a best practice because it can enable decision makers to glean insights and intelligence from archived data for purposes of enabling competitive and other advantages. This is an excerpt from the Osterman Research white paper Why You Must Archive Business Content and What You Can Do With It. The entire white paper can be downloaded at https://dmmailinglist.com/subscribe?f=d3461fba. INFORMATION GOVERNANCE WORLD

EMERGING TECHNOLOGY IT’S IN THE JOURNEY

WHY IOT TRUSTWORTHINESS IS A JOURNEY AND NOT A PROJECT BY BASSAM ZARKOUT

e have seen several iterations of the “Internet of X” mantra over the years: The Internet of Content, the Internet of Commerce, and the Internet of People. The most recent iteration and arguably the most significant one is the Internet of Things (IoT). Recognized as one of the key enablers for digital transformation, IoT describes the collective ability to configure sensors on things 1 in order to capture operational data, exploit that data, gain insight about the operation of these things, control them, alter their behavior, and ultimately produce “better outcomes.” 2 Although IoT systems tend to be architecturally complex, the overall principle of their operation is consistent. You Detect, you Derive, you Decide, then you Do.

As an Information Governance professional, I classify IoT data as corporate data that must be governed in accordance with legal and regulatory obligations and internal corporate policies. However, as an IoT professional, I would say, yes but not so fast. This article will introduce the term IoT Trustworthiness, an emerging domain that overlaps with IG in some areas, but is potentially much more significant to the organization. This article is thus a call to action to both IoT practitioners and IG professionals. • IoT practitioners should heed the growing governance debt that will inevitably result from the exponential growth of IoT data volumes • IG professionals should watch out for that incoming train called IoT and recognize the important role they are destined to play in IoT Trustworthiness

2 Derive

3 Decide

• Aggregate • Analyze • Recognize patterns

• Predict • Prescribe • Determine actions

1 Detect

4 Do

• Sense events • Measure • Collect

• Perform actions • Report

Sensors

Actuators IoT-Enabled Things

The 4Ds of IoT - source IGnPower Most people associate the term IoT with consumer-oriented devices like home thermostats. But it is in industry 3 that IoT applications have the most impact. In the last few years the number of IoT sensors has grown exponentially. 4 By 2020 that number is expected to exceed 20 billion. This means that IoT systems are destined to generate volumes of data that will dwarf the volumes of data and information generated by business systems. 76

INFOGOVWORLD.COM

GOVERNING THE IoT DATA As already stated, data produced and consumed by IoT systems should be considered as corporate data that is subject to governance controls mandated by laws, regulations, standards, and eDiscovery rules, as well as rules defined by internal policies. Adopters of IoT solutions face a wide range of technical and organizational challenges: how to cope with fast evolving technology and architecture, how to deal with the challenges

SOURCE: https://www.iiconsortium.org/news/joi-articles/2018Sept-IoT-Trustworthiness-is-a-Journey_IGnPower.pdf, page 2

IoT TRUSTWORTHINESS The discussion about governing IoT data CANNOT be limited to data only. This is due to a very simple fact about IoT: IoT is much more than IT for Things. By definition, IoT systems have a digital side and a physical side. The governance of the IT aspects of these IoT systems (security and privacy) cannot be separated from the governance of the OT aspects of these systems (safety, reliability and resilience). Enter the term: IoT Trustworthiness. The Boston-based Industrial Internet Consortium or IIC 7 defines IoT Trustworthiness as follows: It is the degree of confidence one has that the system performs as expected with characteristics including safety, security, privacy, reliability and resilience in the face of environmental disturbances, human errors, system faults and attacks.

Err

ans

y vac

Hum

Pri

Saf e

Faults

Disturba

System

ment

Environ

ilience

nces

Throughout my years in the IG space, I have always been struck by the years of inaction of organizations vis-à-vis their mounting IG debt and the uphill battles IG practitioners continue to face in getting their initiatives off the ground. There is no question in my mind that the governance of IoT data will face similar challenges. But these challenges will be more complex, however, due to the physical nature of these systems. I will get into these challenges in the next section, but let me first get the “good news” out of the way: a) Governance debt for IoT data is still very low: Most IoT systems have been in production for a relatively short period of time. This means that the volume of IoT data is relatively low and the governance debt for the IoT data is still low. No time to waste here however, since the volume of IoT data is about to explode. b) IoT data is structured and well organized: It should not be difficult to identify this data, classify it and define governance rules for it. Adding governance frameworks to existing IoT systems to actually enforce the governance controls will require engineering efforts, but it is doable.

ors

Securi

• What is the IoT data and who owns it? • What are the rights of the IoT solution adopters? • What are the obligations of the IoT solution providers6 towards this data? • What are the Data Protection best practices for this data? • How long should this data be retained? • How to deal with issues like data lineage and data residency?

Att

of integration, and above all, reconcile IT with Operational technology (OT) 5 issues and manage their convergence. As IoT solutions continue to expand and mature, the volume of IoT data generated by the sensors will witness exponential growth. Organizations will need to address several fundamental questions:

Reliability

Trust worthiness

IoT Trustworthiness - source IIC Establishing and maintaining the trustworthiness objectives in an IoT system leads to better outcomes, such as a better alignment with the corporate business objectives, a better visibility of operational risks, etc. On the other hand, failure to achieve and maintain the trustworthiness objectives can lead to significant negative consequences, such as serious accidents, equipment failures, data breaches, and operational interruptions to name a few. Note: In so many IoT use cases, issues like safety and security far outweigh traditional IG concerns. For example, delaying a security patch in order not to affect production may introduce safety risks which can lead to serious accidents where people may be physically harmed. The issues and choices that IG Professionals face in projects like shared drive clean-up of ROT8 pale in comparison. Nobody was ever injured by duplicated documents in a shared drive. In order to assess the overall trustworthiness state of an IoT system, one must look at the state of each of the IoT Trustworthiness characteristics: Security, Safety, Reliability, Resilience and Privacy. For example, the Current state of one characteristic may fall short of the Minimum level mandated by laws and regulations for that characteristic. On the other hand, the Current state of another characteristic may meet the Minimum level but fall short of the Target level set at a corporate level. Below is a description of these Current, Minimum and Target states: • Current State (red): This is the “trustworthiness” status of the IoT system, based on how it is currently designed, implemented and operating. • Minimum State (blue): This is a non-negotiable trustworthiness level mandated by external authorities and parties, example legal, regulatory, standards, and industry best practices. • Target State (green): This trustworthiness level exceeds the Minimum state, and is based on internally-defined and selfimposed drivers and objectives (business and technical).

1. Automotive, aerospace, machines in plants, agricultural equipment, city lights, elevators, etc. 2. New business models, enhanced productivity, etc. 3. Manufacturing, cities, transportation, retail, agriculture, healthcare, etc. 4. IR sensors, image sensors, motion sensors, accelerometer sensors, temperature sensors, etc. 5. Operational Technology such as SCADA systems and ICS. 6. The Data Controllers and Processors in the GDPR terminology. 7. https://www.iiconsortium.org/news/joi-articles/2018Sept-IoT-Trustworthiness-is-a-Journey_IGnPower.pdf 8. Removal of Redundant, Obsolete and Trivial content from corporate shared drives. INFORMATION GOVERNANCE WORLD

EMERGING TECHNOLOGY The “radar map” in the diagram below provides an example of the IoT Trustworthiness states of a system. In this example, Safety exceeds the mandated minimum legal requirements while the other characteristics (Security, Reliability, Resilience and Privacy) fall short of their respective mandated minimums and thus require efforts to become compliant. Security

Privacy

Trustworthiness share some similarities:

a) IoT Trustworthiness may be complex as a topic, but at the end of the day IoT data is corporate data that must be governed. This data must be classified, its lifecycle managed and its eDiscovery properly handled in case of litigation. b) Like IG, IoT Trustworthiness is a multifaceted discipline that requires a collaboration SOURCE: https://www.iiconsorbetween multiple groups in the organization. tium.org/news/joi-articles/2018Sept-IoT-Trustworthiness-is-a-Jourc) Just like IG, IoT Trustworthiness needs ney_IGnPower.pdf, page 8 a leader9 who is empowered10 to drive the trustworthiness efforts throughout the lifecycle of the IoT system. IoT Trustworthiness is also different from IG. Its scope is much wider covering several well-established functions which have their Safety own teams, long traditions and mandates. Safety plays a very prominent role in IoT and Cybersecurity plays a central and enabling role in IoT and beyond (safety, privacy, etc.) Current State Minimum State Target State

Resilience

Reliability

IoT Trustworthiness Radar Diagram - source IIC This visual view of IoT Trustworthiness will help the organization understand its current situation vis-à-vis the trustworthiness of IoT system and prioritize the work needed to become compliant. INFORMATION GOVERNANCE VERSUS IOT TRUSTWORTHINESS Readers who have been trained in the art of Information Governance should have recognized by now that IG and IoT

Become Compliant

Meet internal Mandates

IOT TRUSTWORTHINESS JOURNEY IoT systems tend to have long lifecycles. For example, the lifecycle of a manufacturing plant and its systems may be decades long:

• During this long lifecycle, some of the plant’s internal systems and sub-systems may be upgraded, IoT-enabled, or totally replaced • IoT data produced and consumed by the plant’s systems may have long lifecycles • Trustworthiness requirements for the system may change over time due to changes in laws and regulations or changes in the architecture of the system itself. What all this means is that establishing and maintaining the system’s trustworthiness is not a project. It is an effort that must be sustained throughout the lifecycle journey of the system (diagram below):

Comply with Upcoming Requirements

Cruise to End of Lifecycle

Trustworthiness

IoT Trustworthiness Journey

Risky Zone

Target requirements Minimum requirements Current level of trustworthiness Time (not to scale) years, decades... Design

Build

Operate / Maintain

The IoT Trustworthiness Journey - source IGnPower 78

INFOGOVWORLD.COM

Decomission

Alignment with corporate vision

Corporate Operations

Legal

Improved QoS

Reduced legal risks & litigation costs

y vac

Pri

Saf e

ilience

Finance

Trust worthiness

Better IT-OT alignment

Alignment with business objectives

Improved risk visibility

Reliability

Risk

Securi

Better IT-OT alignment

News

Reduced unplanned costs

Business

Security

Optimized security

Value delivered by IoT Trustworthiness Program - source IGnPower The IoT Trustworthiness journey must be piloted by a program that acts as a framework for organizing, directing, implementing and maintaining trustworthiness of an IoT system throughout its lifecycle, and in accordance with established Corporate Business Objectives. Similar to the Information Governance program within the organization, the IoT Trustworthiness program must have a corporate sponsor to set the mandate and empower the organization to achieve that mandate, a program tsar to lead and manage the program, and a steering committee for the stakeholders who will coordinate the cross-functional implementation of the various facets of trustworthiness. The program must also deliver real value to the organization in the form of “better outcomes”. This value must be communicated to the various groups and stakeholders in the organization in terms they relate to and understand. A lot to unpack here and perhaps I should dedicate an article in the future to the subject of the IoT Trustworthiness Program, its structure and its activities. Suffice it to say that a core component of the initial stages of this program is an assessment of the Current state of the IoT system and a determination of the Minimum state based on external drivers like laws and regulations, and the desired Target state based on internal drivers like corporate strategy. IG professionals have an important role to play in this regard. CONCLUSION The trustworthiness of IoT systems and the governance of their IoT data are key to

ensuring that these systems can deliver on their intended objectives. Both efforts should be maintained throughout the full lifecycle journey of the IoT systems and their IoT data. There is little time to waste here as IoT technologies and architectures are evolving fast. AI and Distributed Ledger technologies like Blockchain are starting to play central roles within IoT systems. Issues like AI ethics (why did the AI make this versus that decision) and the seemingly irreconcilable conflicts between Blockchain and privacy (example GDPR’s Right-to-Forget) are getting to the forefront. Terms like Safety-by-Design, Security-byDesign and Privacy-by-Design are not mere catchy buzzwords. They have a significant impact on the success of IoT systems and ultimately on the Digital Transformation strategies of organizations. These terms must be understood and the principles behind them weaved into the fabric of the IoT systems. To close, I think it is safe to say that the need to govern IoT data is real and looming… it is also inescapable. But it is part of a wider conversation in which issues related to the trustworthiness of IoT systems will dominate the conversation. Again, IG professionals will have an important role to play in all of this. BASSAM ZARKOUT IS THE FOUNDER AND EXECUTIVE VICE PRESIDENT OF IGNPOWER IN KANATA, ONTARIO, CANADA. HE HAS IMPLEMENTED INNOVATIVE VISIONS FOR MULTI-JURISDICTIONAL IG PLATFORMS THAT INCLUDE IOT DEVICES. HIS INTERESTS INCLUDE ARTIFICIAL INTELLIGENCE, BLOCKCHAIN, GDPR AND PRIVACY BY DESIGN. HE MAY BE REACHED AT BZARKOUT@IGNPOWER.COM

ELON MUSK FINED! In our fall issue, IG World highlighted the potential implications of tweets by principals of publicly traded companies. Compliance is a serious matter for public companies and the SEC has made it known they will take action to ensure compliance, even from rouge CEOs. In response to the SEC action, Elon Musk agreed to step down as chairman. The SEC lawsuit resulted in a $20 million dollar fine and the addition of two new independent directors to Tesla’s Board. It is no surprise that Tweeting speculative corporate information would be a SEC compliance violation. Keeping corporate secrets is a fundamental responsibility for all senior executives. It seems simple and yet in these days of ubiquitous sharing on social media it is easy to see how the boundaries of compliance and behavior can get mixed up. IG can’t control Elon Musk, but it can provide leaders with the ability to minimize risks. Elon Musk is a wonderful example of the inflection point between compliance and behavior. Tesla’s newly independent Board would benefit from using IG tools to put a value on the risk associated with his entrepreneurial leadership. —Baird W. Brueseke

9. Gartner recommends the appointment of a Chief Data Officer to own the Information Governance function. 10. Empowered with authority and budgets. INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE TRADE SHOWS & CONFERENCES

HIMSS19 ANNUAL CONFERENCE February 11-15, 2019 (Orlando) The Healthcare Information and Management System Society (HIMSS) is a global advisor and thought leader supporting the transformation of health through the application of information and technology. HIMSS has 70,000 individual members, 630 corporate members and over 450 non-profit organizations. This year, HIMSS is holding their national conference in Orlando at the Orange County Convention Center. Keynote speakers include Aneesh Chopra the President of CareJourney, Karen DeSalvo former national coordinate for Health IT, Michael Leavitt founder of Leavitt Partners and Seema Verma the Administrator for the Centers of Medicare and Medicaid Services. www.himssconference.org

RSA USA 2019 March 04-08, 2019 (San Francisco) The RSA USA annual conference is once again the Cybersecurity industry’s place to see and be seen. Vendors from the global community will descend on the Moscone Center in San Francisco to display their wares. Featured products will include: Threat Detection and Response, Fraud Prevention, Integrated Risk Management as well as Identity and Access Management platforms. The agenda has many opportunities to learn such as: Tutorials and Training, Learning Labs, Innovation Programs, a

INFOGOVWORLD.COM

Sandbox Contest, CISO Boot Camp and Cyber Safety instruction. This five-day conference is a great opportunity to gain insight about industry trends and get introduced to new products. RSA USA 2019 will feature sessions on Inclusivity and Diversity. One seminar will focus on how to solve the Cybersecurity talent shortage, with a focus on the opportunities that exist for women to become Cybersecurity practitioners. www.rsaconference.com If You Are Going to RSA: What to do in San Francisco RSA USA 2019 will be held in San Francisco, one of California’s most storied cities. Although RSA attendees may not have time for a full day of vacation activities, there are still many attractions that can be experienced during the conference. The Cable Car system is a great way to get around. Fisherman’s Wharf offers many wonderful culinary experiences. For the adventurous eater, Chinatown’s eateries are a source of exotic menus. There are street vendors and many small shops that serve excellent gastronomic fare with spicy tastes that can only be found in San Francisco. www.sftravel.com

ARMA METRO NYC CHAPTER March 5, 2019 (New York) The NYC ARMA Chapter’s Spring Conference is on Tuesday, March 5th. The local chapter has a Big Apple sized event covering these key topics: Privacy, Cybersecurity, Strategic Growth, Data Governance and Cross-border Data. Michael Potters will moderate the event which features keynote speakers: Jo Ann Davaris, Wayne Matus and David Peach. The Metro Chapter’s Spring Conference continues to be a great place to meet IG thought leaders including this year: Ron Hedges, Richard Hogg and John Isaza. armanyc.org/2019_Annual_Conference

ENTERPRISE DATA WORLD March 17-22, 2019 (Boston) Enterprise Data World (EDW) is the most comprehensive educational data management conference in the world. Hosted by Dataversity and the Data Management Association (DAMA), featured speakers include Michael Stonebraker (MIT), Jeff Jonas (Senzing), Laura Sebastian-Coleman (Aetna) and Anthony Algmin (First San Francisco Partners). Attendees will have an opportunity to participate in workshops and training programs on Sunday and Monday before the full conference agenda begins on Tuesday. One unique aspect of the training programs is the Lightning Talk, 5-minute presentations on topics such as: the Data Management Meta Model Battle, Are you getting the most out of your data linage?, In Search of new Metaphors for Data and R.E.S.P.E.C.T. – what’s on your Data Management Playlist?. Event sponsors are leading data management vendors including: IBM, Alation, Data Advantage Group, Denodo, Erwin, Idera, Immuta, Innovative Systems, Manta, Octopai, Redpoint Global, Syncsort and Tamr Data United. edw2019.dataversity.net If You Are Going to EDW: What to do in Boston The historic town of Boston offers visitors a plethora of interesting opportunities to see the actual venues where many important events in American history occurred. From Beacon Hill to Harvard University and Fenway Park, Boston is a treasure trove of Americana. The Boston Harbor is close at hand. Intrepid visitors may wish to throw tea in the harbor to commemorate our ancestor’s historic rebellion against British taxation. Others may wish to visit cutting edge restaurants or the local craft beer and breweries. www.boston.gov/visiting-boston

AIIM March 26-28, 2019 (San Diego) AIIM’s National Conference is in San Diego this year. This year’s message is that “Your Digital Transformation Begins with Intelligent Information Management.” This transformation can be viewed as a journey which enhances customer experiences, business agility and automated compliance. The mile markers along the way will be Content, Process and Analytic Services. The keynote speakers are Greg Verdino (digital transformation) and Blake Morgan (customer experience). The Manchester Grand Hyatt is a great venue and the AIIM conference is a good place to see old friends. If you’re in town, come join us at the AIIM Chapter (SD+LA) Social IG World is hosting on Tuesday evening. aiimconference.com

INFORMATION GOVERNANCE TRAINING April 9-11, 2019 (San Diego) The Institute for Information Governance is holding its annual classroom training event on the University of San Diego’s (USD) beautiful campus. Located high on a mesa overlooking San Diego bay and the Pacific Ocean, USD is a great location to learn. The first day’s session will cover IG Basics, including the IGP Certification Crash Course. This will be followed by two days of advanced training. Attendees will have the opportunity to explore IG topics in detail including: Big Data, GDPR, the

IG Imperative, IG Principles, Strategic Planning, Policy Development and Infonomics. Privacy is a growing aspect of Information Governance. During the two days of advanced training, the class will review the impact that GDPR has had since it went live on May 25, 2018. The instructor, Robert Smallwood will also cover the California Consumer Privacy Act (CCPA) and the role that IG programs can play in corporate efforts to comply with this new privacy regulation. www.igtraining.com If You Are Taking the Training: What to do in San Diego San Diego is known as American’s finest City. Located on the Pacific coast, San Diego has a Mediterranean climate. The average temperature in April is 68 degrees. Visitors can explore San Diego’s historic Old Town venue located just 3 miles from USD. The Point Loma lighthouse has sweeping views of the Pacific Ocean and US Navy installations in San Diego Bay. The Gaslamp district offers many opportunities for nightlife entertainment. www.sandiego.com/attractions

DATA MONETIZATION & INFONOMICS SUMMIT May 17, 2019 (Chicago) IG World Magazine is holding our first Data Monetization & Infonomics Summit on Friday, May 17th in Chicago to educate C-level executives and IG leaders on how to leverage information value. The Summit will be held at the Talbott hotel, an award-winning venue in Chicago’s historic Gold Coast District. Presenters include Rich Kessler (KPMG), Ren Leming (Informu Solutions), Neil Calvert (LinQ) with a special appearance by Doug Laney, the author of Infonomics, How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage. Attendees will participate

in exercises designed to engender real world understanding of how Information Governance can be used to monetize information value using the principles of Infonomics. To register, email events@ infogovworld.com. events.infogovworld.com

MER CONFERENCE May 20-22, 2019 (Chicago) The 27th annual MER conference is the best IG conference of the Spring season. IG World encourages all of its readers to attend. MER will focus on Legal, Technical and Operational aspects of managing electronic records. Compelling keynote speakers will bring diverse perspectives to pressing issues and illuminate potential solutions to realworld problems. Conference sessions will focus on disruptive technologies such as blockchain, IoT, social media and machine learning. Attendees will include progressive decision-makers, organization influencers and IG practitioners seeking solutions to their business’s Information Governance challenges. www.merconference.com If You are Going to MER: What to do in Chicago Visitors to Chicago’s Gold Coast have many opportunities to enjoy the city. Start with Navy Pier and ride the giant Centennial Wheel or enjoy a good meal at one of the many eateries. Folks who like to see things from high up in the sky can visit the 360-degree observatory on the 94th floor of the Willis Tower (formerly the John Hancock Center). The Magnificent Mile is a great place to go shopping. Those with a big hunger may chose to visit Michael Jordan’s Steak House. A walk along the shore of Lake Michigan is a wonderful way to enjoy the sights and sounds of the city. www.choosechicago.com

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE EVENTS February 11-15 Feb. 18, 20, 22 February 25 February 26 February 28

HIMSS 19 Annual Conference (Orlando) CIP Prep Crash Course (Online M-W-F, 1PM-4PM ET) Institute for IG, register at IGTraining.com CCPA Comprehensive 2019 (Fremont) IAPP Cyber Forum 2019 (Beverly Hills) IAPP Calgary KnowledgeNet

March 4-8 March 5 March 10-12 March 11-13 Mar. 11, 13,15 March 17-22 March 18-20 Mar. 18, 20, 22 March 26 March 26-28 Mar 31-April 2

RSA USA (San Francisco) ARMA NYC Annual Conference Gartner CIO Leadership Event (Phoenix) IIA General Audit Management Conference (Dallas) IGP prep Crash Course (Online M-W-F, 1PM-4PM ET) Institute for IG, register at IGTraining.com Enterprise Data World (Boston) IDG Agenda 19 (Ponte Vedra Beach) Privacy in IG (Online M-W-F, 1PM-4PM ET) Institute for IG, register at IGTraining.com AIIM San Diego and Greater LA Chapter Social Event AIIM Annual Conference (San Diego) Gartner CIO Leadership Event (Hollywood)

April April April April April April

1-3 8-10 9-11

ISSA InfoSecWorld (Disney Resort, Lake Buena Vista) MADS â&#x20AC;&#x201C; Marketing Analytics and Data Science Conference (San Francisco) IG Basics & Advanced Classroom Training (San Diego) Institute for IG, register at IGTraining.com ACC 6th Annual Corporate Counsel Conference (Birmingham) SCCE Basic Compliance & Ethics Academy (San Diego) IAPP Global Privacy Summit (Washington DC)

May May May May May May May May May

8 8-10 13-15 13-14 15-16 17 20-22 22-23 23

CDO Summit (Columbia University, NYC) WiE inaugural National Conference (Austin) ISACA CACS 2019 North America (Anaheim) CFO Leadership Conference (Boston) Chief Analytics Officers Conference (San Diego) Data Monetization & Infonomics Summit (Chicago) Register at events.infogovworld.com MER Conference (Chicago) CIGO Conference (Chicago) CDO Event (Cambridge University)

June June June June June June

3-7 10-13 13-14 11-13 14 26

DGIQ Data Governance & Information Quality Conference (San Diego) ISACA COBIT 2019 Overview (Tampa) ISSA CISO Forum (Boston) HIMSS & Health 2.0 Europe Conference (Helsinki) ARMA Chapter Meeting (Los Angeles) ACC 2019 Corporate Counsel University (Minneapolis)

11 15-18 30-May 5

July 7-10 July 15-18 July 17

INFOGOVWORLD.COM

IIA International Conference (Anaheim) ISACA Privacy and Data Protection: Intro to the Global Landscape (Boston) Data Architecture Conference (on-line)