INFORMATION GOVERNANCE WORLD
GDPR ONE YEAR OZ ALASHE ON ANALYTICS LATER W/ RICHARD HOGG & CYBERSECURITY ADVICE FROM LEADING IG EXPERTS
JASON R. BARON
ON RIM’S MAJOR THREAT
NICOLAS ECONOMOU AI’S ROLE IN E-DISCOVERY
ON COSO & RISK MANAGEMENT
IG & INTELLIGENT AUTOMATION
HEIDI MAHER HER VISION FOR CGOC + IG & DATA PRIVACY BENCHMARKS
VOL 1 • ISSUE 3 SPRING 2019
INFOGOVWORLD.COM YOUR GLOBAL IG RESOURCE®
ON GLOBAL RIM COMPLIANCE
PHOTO BY LILLI GARCIA
e are proud and pleased to bring you another spectacular issue! It is chocked full of engrossing content and keen insights from IG leaders. Our cover feature is an interview with CGOC’s Executive Director, attorney Heidi Maher. Her story of her childhood in Iran, then immigrating to the US is intriguing; her rise to working in the Texas Attorney General’s office and then becoming a leading tech attorney is inspiring. And the story of how her parents met is quaint! We also feature two interviews from across the pond with keynote speakers at the annual MER Conference in Chicago. Oz Alashe, MBE, served as a leader in the British military and now applies his skills in leading a cybersecurity firm that leverages analytics and AI to prevent and detect threats. He offers some insights on looming cyber threats that you won’t want to miss. Nicolas Economou, the son of a diplomat who has traveled extensively, offers his discernments on AI governance and AI use in e-Discovery. Noted attorney and e-discovery expert Jason R. Baron provides a detailed look at ephemeral messaging and its threat to RIM. John Isaza, a leading attorney in the IG space, talks about his immigration from Columbia to Southern California, and his close friendship with fellow attorney and co-author John Jablonski. He then provides insights on global RIM compliance. Former ARMA President Fred Diers also contributed a provocative piece on RIM programs that every records management professional should read. We focus on data privacy heavily, especially in this issue. Richard Hogg, a leader in global privacy, gives us a look at GDPR a year after it went into effect, and our own Mark Driskill offers what he has uncovered about GDPR as well. Also, Scott Allbert writes about what financial institutions may not know about the impending California Consumer Privacy Act. Business process expert Nathaniel Palmer provides us with a clear view of the intersection of intelligent automation and IG. We also interviewed my friend Sonia Luna, CPA, who gives us expert insights on the COSO risk management framework, cannabis compliance, and living in L.A. My longtime colleague at IMERGE Consulting, Jim Just, and content analytics expert Brian Tuemmler, provide us with two viewpoints on cleaning up shared drives with some very good advice. Again in this issue, data governance expert Merrill Albert gives us lessons on running a good DG program, and we are hoping the IG community picks up some of her tips. Tom Motzel writes about the rise of the CDO and potential conflicts with the CISO; and David
Metcalf, PhD, gives us a preview of the book he wrote with several colleagues on blockchain in healthcare. Enjoy and learn! And please don’t forget to send us your topic ideas, opinions, and feedback – this is the IG community’s magazine and we strive to improve with each issue.
Robert Smallwood CEO & Publisher
Please send your comments, suggestions, and story ideas to me at Robert@infogovworld.com
For more information about becoming a Certified Records Manager or Certified Records Analyst contact (518) 463-8644 or visit www.icrm.org
INFORMATION GOVERNANCE WORLD
CONTENTS INFORMATION GOVERNANCE IN SOCIETY 10 ARMA Metro NYC Annual Spring Conference 11 The Annual AIIM Conference INFORMATION GOVERNANCE BEST PRACTICES 12 Mission Impossible by Jason R. Baron INFORMATION PRIVACY 16 GDPR One Year Later by Richard Hogg 19 Facebook Always Watching 20 Cali Privacy Act to Hit Financial Services Firms the Hardest? by Scott Allbert 22 GDPR’s First Birthday by Mark Driskill INFORMATION SECURITY 24 An Interview with Cybersecurity Leader Oz Alashe, MBE 28 CSA’s Cloud Controls Matrix Maps to Leading Frameworks by Baird Brueseke 30 CIS Releases New Mobile Controls by Baird Brueseke COVER STORY 32 The Visionary: Interview with Heidi Maher by Robert Smallwood ANALYTICS & INFONOMICS 40 Clean-up content with Content Analytics Technologies by Jim Just 42 Kick Start Your IG Program with Content Cleanup by Brian Tuemmler
REGULATORY COMPLIANCE 44 Law & Order: Interview with John Isaza, Esq. 47 High Standards: Interview with Sonia Luna, CEO and President at Aviva Spectrum LEGAL & EDISCOVERY 50 A.I. Governance: Interview with Nicolas Economou RECORDS & INFORMATION MANAGEMENT 52 Creating a Sustainable RIM Program – Fact or Fiction? by Fred Diers, CRM, FAI DATA GOVERNANCE 56 Data Governance: Insights from the Field By Merrill Albert 57 What is Master Data Management? CONTENT SERVICES 58 Intelligent Automation & IG:The Critical Path to Digital Transformation by Nathaniel Palmer 60 The Rise Of The CDO: Conflicts Emerge With CISO Role? by Tom Motzel
EMERGING TECHNOLOGY 64 Driving AI 65 AI Used to Transcribe Content 65 Future of Defense is AI INFORMATION GOVERNANCE HEALTHCARE 66 Blockchain in Healthcare – Empowering Patients and Professionals by David Metcalf, PhD 67 Medical Bills Are Killing Americans 67 IG Leaders in Healthcare 68 Harvesting Computing Brainpower to Improve Healthcare 69 Artificial Intelligence in Healthcare 70 Six Strategies to Consider When Implementing IG by Rita Bowen and Erin Head 72 INFORMATION GOVERNANCE TRADE SHOWS 74 INFORMATION GOVERNANCE EVENTS
ARCHIVING & LONG-TERM DIGITAL PRESERVATION 62 Newer Cloud-based Approaches Simplify Digital Preservation
ON THE COVER: Heidi Maher, Executive Director, Compliance, Governance & Oversight Council. Photo by Nikki Acosta, Magnetic Focus Photography.
INFORMATION GOVERNANCE WORLD
YOUR GLOBAL IG RESOURCE®
infogovworld.com VOLUME #1 ISSUE #3 SPRING 2019
INFORMATION GOVERNANCE WORLD
OZ ALASHE ON ANALYTICS GDPR ONE YEAR & CYBERSECURITY LATER W/ RICHARD HOGG ADVICE FROM LEADING IG EXPERTS
JASON R. BARON
ON RIM’S MAJOR THREAT
CEO & PUBLISHER
CHIEF OPERATING OFFICER
AI’S ROLE IN E-DISCOVERY
ON COSO & RISK MANAGEMENT
IG & INTELLIGENT AUTOMATION
ON GLOBAL RIM COMPLIANCE
HER VISION FOR CGOC + IG & DATA PRIVACY BENCHMARKS
Dan O’Brien CONTRIBUTING EDITORS
VOL 1 • ISSUE 3 SUMMER 2019
INFOGOVWORLD.COM YOUR GLOBAL IG RESOURCE®
Mark Driskill, Martin Keen, Andrew Ysasi CONTRIBUTING WRITERS
Merrill Albert, Scott Allbert, Jason Baron Rita Bowen, Baird Brueseke, Fred Diers Erin Head, Richard Hogg, Jim Just David Metcalf, Tom Motzel, Nathaniel Palmer Robert Smallwood, Brian Tuemmler CONTRIBUTING PHOTOGRAPHERS
Nikki Acosta, Lilli Garcia Nate Kieser, Robert Smallwood, Christian Yi SPECIAL THANKS TO INTERVIEWEES:
Heidi Maher, Nicolas Econmou Sonia Luna, John Isaza, Oz Alashe
2358 University Ave # 488, San Diego, CA 92104
© 2019 InfoGov World Media LLC INFORMATION GOVERNANCE EDUCATION, NEWS & EVENTS:
YOUR GLOBAL IG RESOURCE®
Check us out online and sign up today for a free digital subscription to Information Governance World magazine. Print subscriptions for the quarterly mag are $49/year, or $195 for five team members.
ccording to the Sedona Conference, Information Governance (IG) is about minimizing information risks and costs while maximizing information value. This is a compact way to convey the key aims of IG programs. The definition of IG can be distilled further. An even more succinct “elevator pitch” definition of IG is, “security, control, and optimization” of information. This is a short definition that anyone can remember. It is a useful one for communicating the basics of IG to executives. To go into more detail: This definition means that information—particularly confidential, personal, or other sensitive information—is kept secure. It means that your organizational IG processes control who has access to which information, and when. And it means that information that no longer has business value is destroyed and the most valuable information is leveraged to provide new insights and value. In other words, it is optimized. IG PROGRAMS REQUIRE CROSS FUNCTIONAL COLLABORATION IG involves coordination between data privacy, information security, IT, legal and litigation/e-discovery, risk management, business records management functions and more. It is a complex amalgamated discipline as it is made up of multiple sub-disciplines. IG must be driven from the top down by a strong executive sponsor, with day-to-day management by an IG Lead, which is a person who could come from one of the major sub-disciplines of IG. The IG lead could come from IT, cyber-security, privacy, RIM, analytics, legal, operations or related disciplines. THE KEY DIFFERENCES BETWEEN DATA GOVERNANCE & INFORMATION GOVERNANCE Data Governance (DG) and Information Governance (IG) are often confused. They are distinct disciplines, but DG is a subset of IG, and should be a part of an overall IG program. DG is the most rudimentary level to implement IG, and often DG programs provide the springboard for IG programs. Data governance entails maintaining clean, unique (non-duplicate), structured data (in databases). Structured data is typically about 10%-20% of the total amount of information stored in an organization.
An even more succinct “elevator pitch” definition of IG is, “security, control, and optimization” of information.” DG includes data modeling and data security, and also utilizes data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and deduplication, to eliminate redundant occurrences of data. Data Governance focuses on data quality from the ground up at the lowest or root level, so that subsequent clinical assessments, reports, analyses, and conclusions are based on clean, reliable, trusted data in database tables. THE CHALLENGE: MANAGING UNSTRUCTURED INFORMATION Unstructured information is the vast majority of information that organizations struggle to manage. Unstructured information generally lacks detailed metadata and includes and scanned images, email messages, word processing documents, PDF documents, presentation slides, spreadsheets, audio recordings, video files, and the like. Unstructured information is more challenging to manage than structured information in databases, and is the primary focus of IG programs. IG is much more broad and far-reaching than DG. IG programs include the overarching polices and processes to optimize and leverage information as an asset across functional silos while keeping it secure and meeting legal and privacy obligations. These IG program aims should always be in alignment with stated organizational business objectives.
OPERATIONALIZE YOUR PRIVACY PROGRAM O
AUTOMATE GDPR RECORD KEEPING
READINESS & ACCOUNTABILITY TOOL
PIA, DPIA & PbD AUTOMATION
DATA MAPPING AUTOMATION
COOKIE CONSENT & WEBSITE SCANNING
Benchmark organizational readiness and provide executive-level visibility with detailed reports.
Choose from pre-defined screening questionnaires to generate appropriate record keeping requirements.
Populate the data flow inventory through questionnaires, scanning technologies or through bulk import.
Conduct ongoing scans of websites and generate cookie banners and notices.
GDPR Articles 5 & 24
GDPR Articles 25, 35 & 36
GDPR Articles 6, 30 & 32
GDPR Articles 7 & 21 ePrivacy Directive Draft Regulation
SUBJECT ACCESS RIGHTS PORTAL
UNIVERSAL CONSENT & PREFERENCE MANAGEMENT
VENDOR RISK MANAGEMENT
INCIDENT & BREACH MANAGEMENT
Capture and fulfill data subject requests based on regulation specific requirements
Embed consent management directly on website with standardized transaction workflow.
Conduct vendor risk assessments, audit and manage data transfers to third parties.
Build a systematic process to document incidents and determine necessity for notifications.
GDPR Articles 12 - 21
GDPR Article 7
GDPR Articles 28(1), 24(1), 29, 46(1)
GDPR Articles 33 & 34
FREE GDPR WORKSHOP 4.5 CPE Credit Hours
Details and Registration Available at PrivacyConnect.com
For privacy professionals focused on tools and best practices to operationalize compliance.
ARMA Metro NYC Annual Spring Conference On March 5, the ARMA Metro NYC Chapter held their annual Spring Conference in Manhattan to a crowd of over 220+ attendees. The group was hosted by ARMA NYC Chapter President Gene Stakhov. Privacy was a major focus of the day, with presentations by Jo Ann Davaris, CPO at Mercer; David Peach, CISO at The Economist Group; Wayne Matus, Chief Compliance Officer at Sageguardâˆšgdpr; Richard Hogg of IBM; attorneys John Isaza and Leigh Issacs, and more. Afterward, a networking reception was held and many enjoyed conversing with colleagues.
ARMA Metro NYC Board Members
John Isaza presents a case study
Josseline Corniel & Veronika Golberg of Vdiscovery flank Michael Landau of Veritas
Karla Farley of Microfocus and raffle winner John Attanasio
Many good connections were made during lunch
(Left to right) Keynote speaker group: Wayne Matus (SafeGuard GDPR), Jo Ann Davaris (Mercer), Gene Stakhov (enChoice), David Peach (The Economist Group) and Michael Potters (Glenmont Group)
A standing room only crowd
The Annual AIIM Conference The annual AIIM Conference took place March 26-28 in San Diego. Approximately 600 attendees enjoyed excellent keynote presentations and educational sessions, as well as social networking events. And the weather was spectacular!
Smiling networker with a humorous shirt
Mary Arnold, USAA
Longtime AIIM Fellow Priscilla Emery
Boshia Smith and Georgina
AIIM held its conference at the San Diego grand Hyatt
Iron Mountain’s Arlette Walls chatting up the table
A pensive Alan Pelz-Sharp
Iron Mountain’s Tom Motzel makes a point
SD/LA AIIM Social attendees enjoying drinks
Ryan Zilm rocks karaoke
INFORMATION GOVERNANCE WORLD
BEST PRACTICES (With the consent of its editors, the following is an abridged version of an article that appeared in the Winter 2019 issue of “Ethical Boardroom” magazine, a UK publication.)
N O I S S I M ? E L B I S IMPOS HOW TO SAVE RECORDS MANAGEMENT FROM THE THREAT POSED BY SELF-DESTRUCTING MESSAGES BY JASON R. BARON / PORTRAITS BY NATE KIESER
very month more than four billion people send 560 billion SMS text messages worldwide—a 7,700% monthly increase over the past decade. Instant message (IM) traffic on apps such as Facebook Messenger, WeChat, WhatsApp, Viber, and Line, top 60 billion texts daily.1 As of 2018, cloud-based collaboration tool Slack says it has eight million daily active users and three million paid users.2 According to one recent survey, nearly 78% of people would like to have a text conversation with a business, and 80% of professionals currently use texting for business purposes. Interestingly, more than half of professionals claim that they cannot stand even 10 minutes without responding to a text.3 Coupled with the emergence of messaging generally are self-destructing messaging services beyond the popular Snapchat and Telegram platforms, such as Bleep, Confide, Cover MeHash, Signal, SpeakOn, VaporStream, Wickr, and a host of others. Unadorned use of these messaging apps means there may, in fact, be no “record” in any sense that can be captured by any actor or institution subject to regulatory oversight or compliance obligations. Although, admittedly, such applications are less prevalent amongst business people than they are with the under 18 set, they nevertheless are available to any potential interested party as a means of conducting business—for time-saving efficiency by many, and for possible dubious “off-the-books” uses by some. In 2017, a Washington, D.C.—based public interest group filed a lawsuit against the current White House,
alleging that presidential staff were using communications platforms such as WhatsApp, Confide, and Signal, that allow for self-deletion, while failing to put into place an adequate archiving scheme responsible for the capture of such messages (either by automated means or by staff copying messages manually).4 The lawsuit was dismissed on the grounds that under existing precedent the court did not consider itself to have jurisdiction to interfere with presidential records management practices. But on its merits, the allegations in the complaint painted a picture of potential widespread noncompliance with recordkeeping policies that simply are not keeping up with the pace of technological change. And so, at the end of the second decade of the 21st century, we face what might be considered an existential threat to recordkeeping as we know it. This is to the extent that business-related communications are increasingly conducted by employees of enterprises via these types of messaging channels, either on companyowned or employee-owned devices. Shall we give up? Shall we try to rigidly enforce prohibitions on the use of these services? Or, as an intermediate position, shall we ask what data controls are reasonable to contemplate as a matter of governance, compliance and oversight? The question is of an urgent nature, given the accelerating proliferation and use of such applications. Taking a step back, it may first be best to review the bidding on how we got here, including key milestones and earlier warning signals along the way. Armed with that knowledge, we can take a stab at sketching out a
Jason R. Baron
INFORMATION GOVERNANCE WORLD
INFORMATION GOVERNANCE | BEST PRACTICES
path to better compliance from both the perspective of technology and information governance policy. In 1986, employees of the National Security Council were informed in a White House guidance manual that e-mail should not be used to convey official records information. That written policy prohibition went unheeded by Lt. Col. Oliver North, John Poindexter, and others, who sent to each other thousands of emails (in the form of “PROFS notes”) about high-level, sensitive matters of government, including pertaining to the infamous Iran-Contra affair. Such messages were seized as part of an Independent Counsel investigation, and subsequently were caught up in decade-long litigation over the record status of e-mail messages residing on backup tapes. The government eventually lost the argument that only e-mail communications that had been printed out were true government records. Subsequently, the Clinton White House agreed to restore e-mails from backup tapes, including with certain metadata, for placement in government archives, and also agreed to put into place a system for e-mail archiving going forward.5 In the intervening decades, e-mail became the lingua franca of office communications, whereby virtually all public and private organizations comprising more than a few employees have instituted e-mail as a communications channel at least in-house. As history repeatedly has shown, however, institutional policies that enable end-users with access to new types of communications technologies (as e-mail was in the 1980s), coupled at the same time with policy guidance informing those users that they should not use the technology for “official” or “business” communications, have proven to be a recipe for failure from a compliance perspective. In 1995, the introduction of the Netscape browser led to a period of information inflation, in which the number of websites grew from less than a hundred to over 100,000 in very short order.6 This, in turn, heralded in an era where end-users could, in theory, access a world of online connections from their workplace desktops. That said, it was only in the post-2000 era that the world of communications technologies really started to take 14
off, with the introduction of the Google search engine, coupled with platforms represented by Gmail, Yahoo, and other providers. For the first time, employees had realistic, easy-to-use alternatives to sole reliance on corporate e-mail networks -- which in many cases have been subject to slow-downs, connection issues, and glitches of all types. In this same time period, there was an explosion of laptops, mobile devices, personal digital assistants, and most of all, smart phones, with the capability not only of accessing e-mail networks (corporate and private), but also downloading a wide variety of apps. It was therefore entirely foreseeable that employees – including some of the most senior level officials -- would gravitate to using alternative means to communicate in the course of carrying out various types of business activities. Just as inevitably, in the last half decade or so, controversies over the use of commercial networks and apps to communicate about official business have blossomed. The controversy over Secretary of State Hillary Clinton’s use of a private email server is the most prominent example of this phenomenon, but she by no means has been alone: many high-level state and federal officials, as well as political leaders in such countries as Australia and Canada, also have used private communications channels to discuss government business. From a lawmaking perspective, the federal government has been out in front by enacting into law in 2014 provisions that require officials who conduct government business by means of “electronic messaging” on a private commercial network to take reasonable steps to forward or copy the messages into an official recordkeeping system (with a “.gov” address).7 Notably, the statute does not prohibit the use of commercial services, but instead provides conditions on use. The statute also includes a provision for agencies initiating disciplinary measures against employees who fail to adhere to these legal requirements. More recently, the Department of Justice (DOJ) has focused on ephemeral messaging in connection with its corporate enforcement policy pursuant to the Federal Corrupt Practices Act (FCPA). To that end, under its recent Corporate Enforcement policy (USAM 9-47-120), as amended in March 2019, DOJ as put into place a presumption that companies will receive a “declination,” i.e., full remediation credit towards what otherwise would be a substantial monetary sanction, only if the company satisfies certain conditions, one of which involves “prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications. . . .” Thus, companies must carefully consider the effectiveness of their corporate compliance programs as they relate to such messaging apps prior to any FCPA investigation. At a minimum, it is now in the interest of C-suite
executives in enterprises that might be affected by FCPA considerations to perform a risk analysis with respect to the pros and cons of continuing allowance of ephemeral messaging as a matter of corporate policy. Arguably, there are substantial financial benefits in mitigating potential exposure to fines, through clear corporate guidance controlling the use of ephemeral messaging apps for the conduct of corporate business. On the other hand, ephemeral messaging decreases overall corporate risks in at least three ways: first, by reducing the volume of retained messages that may be subject to cybersecurity threats; second, by controlling over-retention with corresponding litigation exposure due to the inadvertent or default retention of messages with negative consequences; and third, as a matter of compliance with emerging General Data Protection Regulation (GDPR) policies aimed at reducing long-term preservation of records containing personal data on individuals, including sensitive personal data. This same risk factor balancing ideally should be considered by all companies, not just those affected by FCPA policies. Corporate policies prohibiting employee use of applications are certainly more easily enforceable on companyowned devices, although some kind of software auditing program – automated or manual – would still need to be put into place. However, a substantial portion of the corporate world has adopted some form of BYOD (bring your own device) policies, allowing for employees to opt to carry out corporate business on their personally owned devices. In such cases, although there are ways to embed software auditing for particular devices and apps on a voluntary basis, there would appear to be wide open compliance issues given the ease in which individual employees may opt to install messaging apps that essentially can go undetected by their employers for some period of time. In view of the fast-changing world of ephemeral and self-destructing messaging, here are some practical steps company officers should consider taking as part of a robust information governance program. First, C-suite executives should make every effort to understand the IT environment that exists in their workplace, including on corporate devices as well as on devices owned by employees but used for company business. What kinds of communications apps are being used, by whom, and for what purposes? Executives should consider taking reasonable steps to attempt to control communications, via investing in archiving tools for social media that capture communications on designated apps. As necessary or desirable, companies may consider imposing software blocking the use of certain wellknown apps to restrain employees from engaging in ephemeral communications. A caveat here is in order, however: such efforts may only encourage users to find less-well known
workarounds, especially on their personally-owned devices. Second, corporate record retention policies and device use policies should be updated to explicitly include recognition of the fact that business records may be created on messaging applications, and that such messages need to be managed. While there is no iron-clad, general duty to preserve all business-related communications, under certain circumstances legal holds may need to be put into effect that cover relevant communications on ephemeral apps. Accordingly, encouragement should be given to employees in the first instance to use stable forms of communications (as defined under corporate policies), that reasonably comply with existing record retention practices and which allow for legal holds to be put into effect. Absent an outright prohibition of ephemeral messaging, companies should at a minimum make clear what is permissible and what is expected of employees using either corporate or personal devices, and should provide notice if the company wishes to perform some kind of audit of those devices. And third, as a matter of setting expectations in a
...we face what might be considered an existential threat to “recordkeeping” as we know it. ” given corporate culture, if senior officials show that they are adhering to using more traditional channels for communication, mid-level supervisors and their employees may be more ready to toe the line. The counter example of the head of an enterprise being known to use private channels as a means to communicate about company business only incentivizes more widespread noncompliance with corporate policies. The genie is out of the bottle: there are a seemingly endless amount of easy ways that we as individuals are all now able to communicate with each other. New forms of technologies pop into existence with each passing year. A corporate strategy that embraces change in acknowledging these new ways of doing business, while providing clear, up-to date-guidance (and notice) to everyone on staff on what is and is not permissible, is a sensible path forward in the brave new workplace of our future. JASON R. BARON SERVES AS OF COUNSEL IN THE IG AND EDISCOVERY GROUP AT DRINKER, BIDDLE & REATH LLP, AND IS CO-CHAIR OF THE INFORMATION GOVERNANCE INITIATIVE. HE MAY BE CONTACTED AT JASON.BARON@DBR.COM.
REFERENCE:  https://medium.com/bsg-sms/50-texting-statistics-that-can-quench-everyones-curiosity-even-mine-7591b61031f5;  https://www.businessinsider. com/slack-8-million-daily-active-users-wants-500-million-2018-11;  https://skipio.com/154-reasons-why-texting-is-the-future-of-business-to-customercommunication/:  See Citizens for Responsibility and Ethics in Washington et al. v. The Hon. Donald J. Trump and the Executive Ofﬁce of the President, 302 F.Supp.3d 127 (D.D.C. 2018) (appeal filed);  See Armstrong v. Executive Office of the President, 1 F.3d 1273 (D.C. Cir. 1993);  G.Paul & J.R.Baron, “Information Inflation: Can the Legal System Adapt?,” http://law.richmond.edu/jolt/v13i3/article10.pdf;  See 44 U.S. Code § 2911 (2019).
INFORMATION GOVERNANCE WORLD
INFORMATION PRIVACY GDPR ONE YEAR LATER BY RICHARD HOGG | PHOTO BY LILLI GARCIA (LILLIPOPART.COM)
sst… have a private moment? It has been a year since the EU General Data Protection Regulation (GDPR) went live, and the world is still spinning. Let’s take a look at what transpired in the first year of GDPR. GDPR went live May 25, 2018 and it aimed to standardize Personal Data (PD) privacy and protection duties, obligations, and rights across all 28 member countries in the EU. The new privacy regulation updates and expands the previous EU privacy directive which had been in place for two decades. With the historical reality of human rights incidents and multiple dictatorships, Europe’s focus on privacy is long-standing. People in the EU are ever more aware of the importance of data privacy and protection, and their newly-refined rights under GDPR. They are now exercising these rights, including their Data Subject Rights around Rights to Enquire, Correct, Erasure, Opt-out and Data Portability. So, across the whole of Europe— (except for five member countries who have still yet to adopt GDPR into their national legislation), a consistent privacy framework is in place. As 2019 began, the Executive EU Commission reported more than 95,000 complaints1 were filed across Europe under GDPR so far. The first of those complaints filed was just six minutes into GDPR Day by None Of Your Business2 (NOYB.eu ), a nonprofit that is laser-focused on all things privacy and protection, founded by Max Schrems, privacy activist and attorney. Then Google was hit with a 50 Million Euro fine (about $56M dollars)— the largest fine to date—as of early 2019. It was levied by the French Privacy Regulator (CNIL) under GDPR for transparency and lawfulness issues (think opt-in and consent). A 50M fine may sound like a big number, but it is a mere speeding ticket for Google––a warning, if you will. The fines will get larger if Google (and others) do not comply. As conveyed from the central EU data protection supervisor Buttarell,7 along with many industry analysts (Iannopoll8) from late 2018, we’ve only just begun to see fines and sanctions hit major corporations for GDPR violations. Surely, some Eye-poppng ones are to come! EXACTLY WHICH “PEOPLE” ARE COVERED UNDER GDPR? Citizens of the EU, right? Be careful, this is one of those many areas where terminology (and assumptions) still
catch businesses off guard as they realize that GDPR applies to some (or all) of their global business. As defined in the GDPR, it applies to all Personal Data (in any media or format, electronic and physical) of any living, natural persons In Europe. If you’re not living—sorry— then GDPR doesn’t apply to your personal data (but there may be other regulations that do). If you’re in Europe–– regardless of being a citizen, legal resident, temporary alien or just passing through an EU airport for an hour–– GDPR likely applies to your personal data. “Natural persons” refers to GDPR applying to the personal data of all living people in Europe, but not to other legal entities, like corporations, who might claim personal business data. It still does apply to all businesses, and applies anywhere in the world they are collecting, storing, or processing the personal data of anyone IN Europe. It doesn’t mean GDPR only applies to legal entities or businesses based in Europe––or only on data centers with data In Europe. It means anywhere. IS ‘PERSONAL DATA’ JUST PII? “Personal Data” is just PII, right? Pedantically, Personal Data (PD) is the focus of GDPR. Of any direct or indirect identifiers across a wide (and often surprising) range of categories and types of Personal Data that can identify a natural living person in Europe. If you’re talking GDPR, PII is merely a subset of Personal Data. But definitions vary. For example, under the U.S. National Institute of Standards & Technology (NIST. gov) definition, a network TCP/IP address isn’t considered personal, whereas under GDPR (and most other privacy regulations) it most definitely is personal. WHAT DID IT MEAN TO BE GDPR READY? My point of view is it “just” meant a focus and action for getting and sustaining readiness across three activities and outcomes: 1. Compliance All the organizational change management activities around people, policy, process, and education to raise internal awareness of privacy and protection. Ensuring everyone is educated and practices with transparency and accountability—that there are policies in place and they have audited proof of being followed. Plus, via contractual and other terms, ensuring your global supply chain sustains readiness for you.
INFORMATION GOVERNANCE WORLD
Let’s hope we can get to some meaningful federal level privacy regulation to make it a level playing field across the country.” 2. Data Protection All the cybersecurity actions and outcomes around encryption, access controls and monitoring, data loss prevention, and incident breach readiness and reporting. 3. Personal Data Ensuring you have a good understanding of what is Personal Data across the business, by category and type, down to each main data source or system and its location. Document and maintain a Records of Processing Activity (ROPA) of not only what is Personal Data, but for what business process and lawful basis you are collecting and using it for. And readiness to respond to the deadlines for handling any data subject requests (e.g. Right of Erasure) in sync with a global IG and cybersecurity program. Larger organizations then executed readiness plans and put in place sustaining ownership and activities around these three outcome areas, via different formal privacy program plans, policies, and processes. These often included dedicated workstreams such as where they are acting as a Controller or a Processor. What common services do we need to stand up and run across the business to ensure consistency
and reduce risks and costs (e.g. of a central privacy catalog and ROPA)? For IBM, their examples are shared in the public GDPR journey e-book, available at www.ibm.com/gdpr. MOST WERE NOT READY As ongoing media reports and studies have shown, most businesses were able to do just enough to be initially ready. But they now realize far more extensive revisions across the three outcome areas are needed. We’ve only just begun. Some industries and those with far more customer-centric practices have seen a spike in data subject requests and have struggled to complete these within the GDPR deadlines of one month per request (businesses have one month to comply and complete each request, not just reply). These organizations have documented leveraging the optional regulatory extensions to these deadlines. Request volumes are still in the early stages for many countries and industries and have been shown to spike whenever unfortunate data breaches occur. WHAT’S NEXT? For now, it’s an ever-increasing complex set of privacy and protection regulations being refreshed and enacted, with momentum around the world. Coming in 2020 is both the
California CCPA and Brazil’s LGPD. A few months ago, Thailand issued their privacy regulation which will go live later in 2020. And Brexit, if it’s been resolved by now, adds to the complexity. Other countries already have some or most of a GDPR-like regulation in place, but often without the teeth of the large potential penalties under GDPR so far (up to 4% of annual revenue). Many countries are updating and expanding their regulation, not only to protect consumers, but also, if we are honest, to clawback some revenue from dominant American tech companies. And in the U.S.? We’re seeing at least 11 different states looking to clone or copy most of what California has in place with the CCPA. Even some cities, like Chicago, are working to enact local data ordinances as they await whatever actions their state may take. Worst case, in the short term, the U.S. may have 50 different privacy regulations to meet, a very complex web for any multi-jurisdictional business to operate in and sustain. Let’s hope we can get to some meaningful federal level privacy regulation to make it a level playing field across the country. Getting there in the political short-term may be hard, although the focus, priority, and volume of attention and hearings around these issues continues in Congress, plus business lobbying, various draft proposals, as well as the NIST Privacy Framework RFI9 that is ongoing. At the end of the day, it’s all about you and me, and our Personal Data. RICHARD HOGG IS GLOBAL DIRECTOR OF INFORMATION GOVERNANCE AT THE LAW FIRM OF WHITE & CASE, LLP. HE CAN BE REACHED AT RICHARD.HOGG@WHITECASE.COM. PREVIOUSLY HE WAS IBM’S GLOBAL GDPR EVANGELIST, LEADING IN THEIR GLOBAL GDPR READINESS PROGRAM. PLUS PRIVACY AND INFORMATION GOVERNANCE EXPERT, HELPING CLIENTS ON THEIR COMPLIANCE READINESS JOURNEY.
REFERENCE:  https://phys.org/news/2019-01-complaints-eu-countries-law.html;  https://noyb.eu/faqs/;  https://techcrunch.com/2018/10/03/ europe-is-drawing-fresh-battle-lines-around-the-ethics-of-big-data/;  https://go.forrester.com/blogs/gdpr-fines-are-coming-but-they-wont-be-your-biggestloss/;  https://www.nist.gov/privacy-framework
FACEBOOK: ALWAYS WATCHING Let’s be honest. Most of us use our phones for much more than making calls, checking social media, and texting friends and family. We use dozens of apps to do everything from figuring out “who that actress is on that show” to checking out weather forecasts and mortgage rates. And unfortunately, this data is being shared with Facebook. Given recent privacy concerns, it comes as no surprise that the tech giant aggressively collects data even if a user doesn’t have Facebook connected on their device. Perhaps most concerning is that dozens of popular apps share your personal data without your clear consent. Are we really dumfounded by such a revelation at this point? Governments around the world have set their sights on Facebook, Google, Amazon, and others, but fines alone have not slowed down the runaway train that is unfettered data collection. Some might be thinking, “Well, I don’t even have a Facebook account.” That should provide some level of protection, but a recent Wall Street Journal investigation revealed an unsettling reality: Facebook was collecting data even in instances where someone doesn’t have a Facebook account. And despite tech giants offering up boilerplate statements about requiring disclosure for apps, they don’t require that apps disclose all the partners with whom the data is being shared. So, Facebook’s lack of concern for user privacy continues unabated—until perhaps GDPR and CCPA regulatory enforcement hits full stride. —Staff
ATTORNEY GENERAL BECERRA, SENATOR JACKSON INTRODUCE LEGISLATION TO STRENGTHEN, CLARIFY CALI CONSUMER PRIVACY ACT SB 561 CLARIFIES ATTORNEY GENERAL’S ADVISORY ROLE, ADDS PRIVATE RIGHT OF ACTION, AND ELIMINATES SO-CALLED “RIGHT TO CURE”
SACRAMENTO – California Attorney General Xavier Becerra and Senator Hannah-Beth Jackson in February unveiled SB 561, legislation to strengthen and clarify the California Consumer Privacy Act (CCPA). The CCPA is landmark legislation passed in 2018 that provides groundbreaking protections for consumers in their ability to control the use of their personal data. California is the first in the nation to pass a law giving consumers this right. SB 561 helps improve the workability of the law by clarifying the Attorney General’s advisory role in providing general guidance on the law, ensuring a level playing field for businesses that play by the rules, and giving consumers the ability to enforce their new rights under the CCPA in court. “California, the nation’s hub for innovation, has long led the way to protect consumers in the digital age. And as we work to strengthen data privacy law, the world is watching. It’s essential that we get this right,” said Attorney General Becerra. “We thank Senator Jackson for her commitment to data privacy and for introducing SB 561, a critical measure to strengthen and clarify the CCPA. We will continue to work together to protect all Californians and their constitutional right to privacy.” “Our constitutional right to privacy continues to face unprecedented assault. Our locations, relationships, and interests are being tracked, bought and sold by corporate interests for their own economic gain and in order to manipulate us,” said Senator Hannah-Beth Jackson. “With the passage of the California Consumer Privacy Act last year, California took an important first step in protecting our fundamental right to privacy. SB 561 will ensure that the most significant privacy protections in the nation are robustly enforced.” SB 561 removes requirements that the Office of the Attorney General provide, at taxpayers’ expense, businesses and private parties with individual legal counsel on CCPA compliance; removes language that allows companies a free pass to cure CCPA violations before enforcement can occur; and adds a private right of action, allowing consumers the opportunity to seek legal remedies for themselves under the act. Background: The CCPA was enacted in 2018, and grants consumers new rights with respect to the collection and use of their personal information. As part of the law, businesses are prohibited from discriminating against consumers for exercising their rights under the CCPA. As required by the CCPA, the Attorney General must adopt certain regulations on or before July 1, 2020. Effective January 1, 2020, businesses must comply with the CCPA’s key requirements: • Businesses must disclose data collection and sharing practices to consumers; • Consumers have a right to request their data be deleted; • Consumers have a right to opt out of the sale or sharing of their personal information; and • Businesses are prohibited from selling personal information of consumers under the age of 16 without explicit consent. INFORMATION GOVERNANCE WORLD
CALI PRIVACY ACT TO HIT FINANCIAL SERVICES FIRMS THE HARDEST? MANY INSTITUTIONS MAY THINK THEY GET A PASS ON CCPA BY SCOTT ALLBERT | PHOTO BY LILLI GARCIA (LILLIPOPART.COM)
ave you heard the buzz about CCPA? Sure, most of us have heard about the new “California Consumer Privacy Act,” yet many companies will find themselves in serious trouble by not preparing properly. This will especially be true for financial services firms. A couple of important things to know: first, which companies are required to comply with CCPA (hint: this also includes firms located outside of California), and second, what data falls under the protections of the act. California’s new privacy law will come into effect on January 1st 2020. This act is designed to give California residents a better way to control and to protect their personal information. California consumers will have the right to order companies to delete their personal data—similar to what Europe’s all-encompassing GDPR regulation calls for. Many U.S. states are now debating new privacy laws using CCPA and GDPR as models to protect the personal rights of individuals and consumers. As we learned in the Winter, 2019 issue of IG World in an article by Osterman Research, privacy regulations are rapidly spreading worldwide in countries such as India, Brazil, and Australia. Even the U.S. Congress has been working on a bill that could soon become federal law. California consumers will have the legal right to force companies to not only delete their personal information but also disclose what Personally Identifiable Information (PII) has been collected about them, demand
the reasons for collecting it, and order them to refrain from selling any of it. The personal information protected in these regulations contains a lot more than just financial or banking data; PII includes all “information that identifies, relates to, describes, associated with or could be reasonably linked, directly or indirectly, to a consumer or household.” This consists of many different types of information, including IP addresses, biometric data, personal characteristics, browsing history, geolocation data, and much more. CCPA PASSED IN 2018 On June 28, 2018, California Congress passed Assembly Bill 375, the CCPA. The act will apply to any “for-profit” organization which grosses at least $25 million annually and interacts with 50,000 or more Californians, or derives at least half of its annual revenue from selling personal information. Most importantly, CCPA applies to businesses “regardless of location” who meet the above criteria. You must comply if you process personal information of Californians whether your corporation is located in California or not. What was interesting is how CCPA was rushed into law and signed by Governor Jerry Brown in June of 2018, just days before a deadline to withdraw a state’s ballot measure on a privacy proposition coming up in the November election. Tech companies like Google and Facebook were ready to fight against this voter initiative because it would have been more strict—holding them more accountable with more far-reaching
rules and heavier fines. These same tech giants are currently lobbying congress in Washington DC to create new federal privacy laws. Not surprisingly, big tech companies are only looking out for themselves to try to preserve their “surveillance” business model by watering down impending privacy legislation. It is important to note the CCPA has already been amended and politicians promise to make more changes before the dust to settles and it goes into effect in January 2020. FINANCIAL SERVICES COMPANIES Do financial services companies have an exemption? Well, yes… to an extent. In September 2018, the CCPA bill was amended with carve-out language to address business information, including financial services data. This amendment provides a sweeping exception for financial institutions, including data regulated by the Gramm-Leach-Bliley Act (GLBA). You can almost visualize compliance officers at banks like Wells Fargo and B of A celebrating one less regulation to deal with. However, as I tell our financial clients: “don’t be complacent—you must be prepared.” While the carveout language is no doubt welcomed by GLBA related entities, it really should not be interpreted as a full exemption. Financial services firms will remain subject to CCPA requirements if and when they engage in activities outside of the GLBA, which many most certainly do. The CCPA definition of “personal information” is much broader than that of the GLBA data, usually related to services performed in
consumer financial transactions. Since many financial services institutions believe they have full exemptions to CCPA, they could find themselves vulnerable to risks, fines, and any related law suits. This will happen because they did not prepare properly and protect non-GLBA related data. To be clear, the currently-drawn CCPA states that if a GLBA entity, “collects information beyond that of providing a financial service or product to a consumer” then the CCPA regulations will apply. Examples of data collected outside of a financial service or product includes data like website visitors and their locations, using analytics for targeted online advertising or collected geolocation information. It is vital that financial services firms realize the need to pay attention and distinguish what data is regulated GLBA and by CCPA as they will inevitably be required to prove which data is exempt. More financial services organizations will find themselves struggling to stay compliant over most other industries because they did not prioritize CCPA compliance appropriately. Just as we learned after the European GDPR came into effect last year, some companies were ready and many were not. We also learned how the companies that made the commitment with enterprise Information Governance (IG) and Privacy programs including software, systems, and organizational changes throughout were much better prepared for CCPA and will be for any new regulations coming soon.
SCOTT ALLBERT IS PARTNER RECRUITER FOR M-FILES. INC. HE HAS OVER 20 YEARS’ EXPERIENCE IN ECM, IS A PAST CHAIR OF THE AIIM BOARD, AND AN AIIM FELLOW. HE MAY BE REACHED AT SCOTT.ALLBERT@OUTLOOK.COM.
INFORMATION GOVERNANCE WORLD
GDPR’S FIRST BIRTHDAY BY MARK DRISKILL
s Brexit talks engulf European and UK politics, another smoldering issue threatens far-worse damage to the EU/UK relationship, and indeed the global economy. Last May, the EU implemented sweeping new data privacy and protection laws meant to protect the Personal Data (PD) of those in the EU—importantly—be they citizens, temporary residents or visitors, from unauthorized use, AND, extraterritorially, wherever in the world their personal data is stored or used. The issues stem from the EU’s broad definition of PD and the long history in Europe of privacy being viewed as a fundamental human right, against too much history of dictatorships and fascist control. The EU’s General Data Protection Regulation (GDPR) took effect, provoking a new era of tech-company corporate accountability. The GDPR didn’t just standardize data privacy and protection across all (current) 28 member states of Europe, but refined both how to seek permission to use personal data and refreshed the personal rights of each person in the EU to view and take control of their own personal data. As 2018 came to a close, it was
revealed that some major tech companies use personal data in ways that violates personal privacy in many ways. Large data handlers like Facebook, Google, and Amazon have come under close examination by EU regulators, forcing CEOs in the “personal surveillance data business” to defend, and even rethink, their business models (e.g., Google now cites privacy regulation as a major threat to their business model in corporate documents). These have included both Privacy Regulators around GDPR (e.g., UK ICO, Ireland DPC, etc.) and EU competition regulators. Under the new GDPR these companies, without exception, must follow EU privacy law. The issues rest primarily with the advertising data insights these companies have created using proprietary algorithms. The invasiveness is secretive and at times unsettling as these companies seem to know when someone will buy a pair of socks! At first glance, it might seem as if the first year of GDPR compliance has been largely uneventful, at least in terms of other leading global news stories. It’s really a journey, as the EU regulators and analysts have shared. With almost 95,000 privacy
complaints filed, they have only just started to process those investigations, findings, and enforcements. So many of the “privacy fines” we’ve seen since GDPR went live were really cases that occurred pre-GDPR and thus much smaller in scope and penalties under the prior EU privacy regulation. What has been happening quietly, almost behind the scenes, is a tacit acceptance that data privacy from the person-centered perspective must begin with forcing larger companies such as Facebook, Google, and Amazon to comply. This hangs over companies in the consumer tech sector like thick fog. American businesses and culture do not like anyone telling them how to run things. Apparently, this is also true for GDPR compliance, adding to a persistent lack of full compliance. A December 2018 Forrester survey commissioned by Microsoft found that more than half of businesses failed to meet GDPR compliance checkpoints.9 Other highlights included: • 57 % instituted “privacy by design” • 59 % “collected evidence of having addressed GDPR compliance risks” • 57 % “trained business personnel on GDPR requirements” • 62 % “vetted third-party vendors”
This last item is perhaps the most troubling: 38% have yet to vet their third-party software vendors. This means that a significant portion of the global economy is not meeting GDPR compliance. The Forrester survey’s primary findings were that only 11 % of global companies are prepared to undergo the type of digital transformation needed to fully comply with GDPR-based privacy needs of citizens. In its entirety, GDPR has yet to make a significant impact, at least one beyond large tech company compliance. A key implied issue that ultimately influences GDPR compliance checkpoints is the balance between intrusion into a company’s business practices and its ability for profitmaking. Industry leaders such as Kon Leong, CEO of ZL Technologies, note that “built into the challenge is the paradox that achieving complete data privacy required by GDPR entails an unprecedented level of intrusion. In order to truly protect personal data, you [must] know exactly where and whose it is. This necessarily requires intrusion, which many don’t understand.” Leong’s point is apt because the global economy depends on the flow of information. What is the balance? As conveyed by Richard Hogg, Global GDPR Evangelist, IBM, “Identity is a key challenge and duty around GDPR privacy compliance.” ENFORCEMENT AND PRECEDENT SETTING With the new GDPR mandate in place, EU member countries have a valuable tool for ensuring compliance even as these companies undertake actions to protect their business models. Ireland, for example, has “opened 10 statutory inquiries into Facebook and other Facebook-owned platforms in the first seven months since” GDPR adoption last May.10 The Irish Data Protection Commission (DPC) commissioner Helen Dixon notes the inquiries match the public’s interest in “understanding and controlling” their own personal data. The Irish DPC fully intends that these be precedent-setting. Given the
widespread global use of Facebook and its plethora of connected apps, such inquiries from other EU member countries cannot be far behind. In perhaps the most egregious case yet, a whistleblower forced Facebook to reveal that “as many as 600 million users’ passwords were stored in plain text and accessible to 20,000 employees, of which 2,000 made more than 9 million searches that accessed the passwords going back to 2012.”11 Added to this blatant breach of basic cybersecurity practices is the fact that Facebook knew about the issue back in January and spent several months trying to keep it from the public.12 They would surely have been embarrassing questions to answer during the recent U.S. Congressional hearings. As Forbes points out, cybersecurity at Facebook just might be obsolete. In the wake of the sensational stories regarding recent Russian interference into American elections, “Facebook did not conduct a top-down security audit of its authentication systems.” This is a profound, if not provocative, revelation, particularly given Zuckerberg’s promise to reform Facebook’s business practices. That promise, made to Congress just prior to GDPR’s May 2018 rollout, seems now to be empty. While Zuckerberg testified, his company continued its intrusive practices, even as he tried to simplify for legislators Facebook’s business practices. What Zuckerberg did not tell Congress was that “GDPR has highlighted not only the privacy impact of a data-driven society,” notes Kon Leong, “but also the issues that come with enterprises’ siloed IT architecture.” Facebook’s IT architecture was (and probably still is) compromised. In the business world, laws and regulations are street signs to setting precedent. During this initial phase of GDPR compliance, it is crucial that leading EU countries, such as Germany, take positions of authority. Germany’s Federal Cartel Office, the federal agency that regulates Germany’s competition laws, set a new precedent in a February 2019 court ruling. In
With almost 95,000 privacy complaints filed, they have only just started to process those investigations, findings, and enforcements” an anti-competition class-action case, the German court severely limited Facebook’s ability to collect user data inside Germany. This essentially walls off Germany’s Facebook users from the rest of Facebook’s user base. The precedent set by German regulators was substantial. Facebook (at least in Germany) can longer use tactics such as using user data to make fictitious profiles. Moreover, it can no longer use Facebook Pixel, a single character imbedded in a page that transmits data back to the company’s servers. With the German precedent, Facebook can no longer claim what it does with user data on its platform is proprietary. In some ways, the first year of “GDPR-live” was marked by both confusion and denial that such regulation was really needed. Today, the establishment of a nation-specific precedent is the exception, not the rule. However, enough cannot be said about the fact that Germany is one of the main economic powers of the globe. Without German leadership, GDPR might die an unceremonious death. The same must happen in other countries involved in setting global economic policy. In short, GDPR-style privacy must come to the United States. Thankfully, California is leading the way with its California Consumer Privacy Act (CCPA), which is going live January 2020. INFORMATION GOVERNANCE WORLD
INFORMATION SECURITY AN INTERVIEW WITH CYBERSECURITY LEADER OZ ALASHE, MBE BRITISH MILITARY LEADERSHIP PREPARED HIM FOR DEFENSE AGAINST CYBER THREATS
z Alashe MBE leads the UK cybersecurity firm CybSafe and has been the driving force behind the CybSafe concept, vision and platform. Oz is a former Lieutenant Colonel in the British Army and UK Special Forces. He has a successful track record of developing strategy, driving innovation and leading implementation in both the public and private sectors. His background gives him a unique insight into the socio-technical realities of cybersecurity and the sensitivities around changing human behavior. We caught up with Oz at his West London home: IG World: Where did you grow up? Go to school? OA: I grew up in Hertfordshire, a county north of London. I went to a public school called St Albans School which was founded in 948AD, making it one of the oldest schools in the world. What are some of your fondest childhood memories? My fondest childhood memories are those with my family. My mother was always a positive role model for me, and I have particularly vivid and warm memories of her laugh and sense of humor. I was fortunate enough to grow up as one of three kids, and I have many happy memories of us playing together, especially on holiday. We used to travel a lot as a family: to West Africa, Europe, and the US. But it’s not just the holidays that I treasure. Even a simple outing to a restaurant or the cinema could become an epic adventure in my childhood imagination. You are a former UK Special Forces Lieutenant Colonel, what key lessons did you take away from that experience that may apply to business? Cybersecurity? The Armed Forces arguably invest
more time and resources into training its personnel than any other institution in the UK. One of the biggest areas of focus is the area of leadership. Across all levels of leadership, the concept of “serving to lead” is nurtured and encouraged. I believe this has served me well, both in service and now, as a civilian in the business world. First and foremost, leadership is about service. This means challenging and supporting in equal measure. It means putting others before yourself and doing all you can to create the conditions for those you manage to succeed at what they do. It means being clear in your understanding of the objective and providing clarity to those you are fortunate enough to lead. It means accepting that you’re not the smartest, fastest, or strongest in the room - in fact, it means actively seeking to fill the room with people much better at what they do than you! It means going the extra mile,
sometimes embracing discomfort, and embodying an example for others to follow. What sparked your interest in cybersecurity? I’ve always been involved in the securing and helping those that aren’t in a position to do it for themselves— hence I began my career in the military – and cybersecurity is really just an extension of that interest. I’ve also always been a technologist. Technology offers us huge potential to create a better society and it’s already helping us address some of the world’s most pressing problems in areas such as the environment, health, and education. On the other hand, although positive, digitalization has actually made us vulnerable as a society. Even in my early career, for example, some of the bad guys we were chasing were exploiting technology in order to fund or carry out their terrorist acts. So for me, it’s about promoting the positives that tech has to offer,
and combating the negatives. What was your primary motivation in co-founding CybSafe? The idea for CybSafe was developed in response to a number of problems that I saw companies facing during my time at TorchlightGroup, a British counter-threat firm. Online behavior at work and at home has been the most significant threat to business security for a number of years. But while at Torchlight, I noticed that businesses often didn’t have the resources, time, or expertise to address this human aspect of cybersecurity effectively on their own. They also had no way of understanding the risk they were carrying in this area or knowing whether their supply chain posed them any risks. When awareness solutions were implemented, they were often inadequate – they didn’t actually change the way people were behaving, and businesses were none the wiser when it came to INFORMATION GOVERNANCE WORLD
Our platform uses tens of thousands of data points per user to provide insight into individual human cybersecurity and data protection risk in real time.” quantifying their human cyber risk. All these training manuals, austere cybersecurity policies, and phishing simulations that businesses were inflicting on their staff were simply not working. Staff still had weak passwords, shared sensitive data, fell for phishing emails, and so on. I saw a genuine gap in the market for an innovative solution to this aspect of the cybersecurity challenge – one that would have a tangible impact on how people act. And so, I co-founded CybSafe in 2015, which launched to market in 2017. How is CybSafe’s approach using advanced data analytics and cognitive technologies different from your competitors? CybSafe’s first differentiator is the depth of our platform’s data analytics. The cyber risk of individual employees, the effectiveness of cybersecurity awareness programs, and ROI have all, historically, been quite hard to measure. This lack of raw data has led to difficult conversations at the C-level, because the CISO (or equivalent) hasn’t had any or much proof of existing risk, or proof that awareness programs were mitigating this risk. CybSafe addresses this with rich, actionable data and data visualization. 26
Our platform uses tens of thousands of data points per user to provide insight into individual human cybersecurity and data protection risk in real time. CybSafe’s reporting and analytics dashboards show customers whether their human cyber risk and resilience is where it needs to be and which interventions are working. It shows them the state of their cybersecurity culture, and how they compare to other companies of their size or in their industry. This means customers always have the information they need to make better decisions about cyber risk. Our second differentiator is that, unlike competitors, CybSafe intelligently processes data to evolve the platform through machine learning on the basis of user understanding, content preferences and role-based or industry-specific risk profile. This means that advice, guidance and training content becomes increasingly personalized to the individual over time and supports users at the right time, in the right way, and in a way that is much more likely to influence behavior. All of this reduces risk more effectively, efficiently and in a less time-consuming manner. A third differentiator is our science-based design. CybSafe has been rigorously developed, tested,
and applied by in-house behavioral science experts in collaboration with academic research partners. CybSafe’s Research Advisory Group - which includes world-renowned academics from UK universities and the UK’s National Cyber Security Centre (the NCSC acts as a bridge between the industry and government) - means that everything we do is aligned as much as possible with academic research in the space. What is the greatest looming cybersecurity threat that could have a major impact on societal stability and security? Nation-state and state-sponsored actors have been on the rise, certainly for the last couple of decades. They pose the most serious national cyber threat. Utility firms, government organizations, other publicly-owned organizations (particularly those managing national infrastructure) are most at risk. In some senses, we’ve already had a taste of what’s at stake. Back in 2016, NotPetya, eventually attributed to Russia, caused chaos in the utility sector, as well as in financial services and transport. The attack paralyzed networks worldwide, costing FedEx and Maersk about $300m each. Then in 2017, US nuclear, energy, aviation, water and critical
manufacturing industries were all targeted along with government entities in a highly sophisticated phishing campaign. Again, Russia appeared to be behind the activity. What are some future developments and threats in cybersecurity that might emerge in 5-10 years? The growth of the Internet of Things is bringing dramatic changes to the cybersecurity landscape. As connected devices increase in circulation by the day, the attack surface area increases and so does the level of threat. Vulnerabilities in these devices are almost inevitable. And once a critical mass of machines is compromised, criminals can launch DDoS attacks. From the human cybersecurity perspective, which is what I’m most interested in, many things won’t actually change over the next 5-10 years. Cybercriminals are still profiting from the same run-of-the-mill techniques, and victims are unfortunately still making the same errors. Conventional attacks—such as delivering malware (especially ransomware) through social engineering—will remain a threat. However, of course, we’ll witness new sophisticated attacks coming onto the scene. When it comes to
the social engineering threat, hackers are constantly devising more credible scams. Classic 419 (e.g. Nigerian advance fee) scams are still circulating (and fooling a small minority) but highly persuasive, believable spearphishes are on the rise. At CybSafe, we also expect the targets of human cyber-attacks to change. Recent reports indicate that cybercriminals are shifting away from attacking consumers, and are attacking businesses more frequently instead. You were made Member of the Most Excellent Order of the British Empire (MBE) for your military service; could you tell us more about your social causes and mentoring activities? The MBE is an honor for me and was awarded for “personal leadership in the most complex and sensitive of conflict environments.” I like to get involved in social enterprises and charitable groups that are supporting people—usually, young people from more deprived areas who haven’t necessarily had the right opportunities. I believe that everyone has the potential to achieve, but not everyone has the right environment or the right support that would allow them
to succeed and thrive. What is your favorite sports team, and why? My favorite sports team is Arsenal football club. Based in Islington in North London, the team wasn’t too far from home, and my whole family are Arsenal fans. Naturally, I became a supporter. What do you like most about living in London? London is a buzzing city that’s switched on 24/7 - the kind of place where there’s always something to see and do. It’s also a diverse city— outward-facing by nature and an extraordinarily positive place to live. What is your favorite London pub? And why? I live in West London in a place called Chiswick. There’s a little bar there called The Old Fire Station that serves great drink and food. OZ ALASHE, MBE LEADS THE UK CYBERSECURITY FIRM CYBSAFE AND HAS BEEN THE DRIVING FORCE BEHIND THE CYBSAFE CONCEPT, VISION AND PLATFORM. OZ IS A FORMER LIEUTENANT COLONEL IN THE BRITISH ARMY AND UK SPECIAL FORCES. HE HAS A SUCCESSFUL TRACK RECORD OF DEVELOPING STRATEGY, DRIVING INNOVATION AND LEADING IMPLEMENTATION IN BOTH THE PUBLIC AND PRIVATE SECTORS. HE IS AT OZ@CYBSAFE.COM
INFORMATION GOVERNANCE WORLD
CSA’S CLOUD CONTROLS MATRIX MAPS TO LEADING FRAMEWORKS BY BAIRD BRUESEKE
he genesis of the The Cloud Security Alliance (CSA) began at the 2008 Information Systems Security Association (ISSA) Chief Information Security Officer (CISO) Forum in Las Vegas. The CSA was incorporated as a nonprofit organization in 2009. The initial mission and strategy of the CSA was outlined by Jim Reavis and Nils Puhlman. They reached out to information security community and asked for help to formalize their plan. As a result, dozens of volunteers stepped forward to create the initial work product which was a white paper presented at the 2009 RSA conference. The CSA’s mission is: To promote the use of best practices for providing security assurance with Cloud Computing, and provide education on the uses of Cloud Computing to help secure all other forms of computing. In 2010, the CSA published the first version of the Cloud Controls Matrix (CCM). The CCM is the only meta-framework of cloud specific security controls. One of the important aspects of the CCM is that it maps the CSA’s controls to all of the leading standards and regulations. The CCM maps the CSA’s cloud security controls to these standards: AICPA, BITS Shared Assessments,
BSI Germany, PIPEDA Canada, CIS AWS Foundation, COBIT, COPPA, ENISA IAF, 95/46/EC EU Data Protection Directive, FedRAMP, FERPA, GAPP, HIPAA/HITECH Act, HITRUST CSF, ISO/IEC 27001, ISO/IEC 27002, ISO/IEC 27017, ISO/IEC 27018, Mexico Federal Law, NERC CIP, NIST SP800-53, NZISM, ODCA UM: PA, PCI DSS, IEC 62443-3-3, C5. As industry migrated computing services to the cloud, the CCM evolved to keep pace. In November of 2018 the CSA published Version 3.0.01 of the CCM was published in November of 2018. This version identifies 132 controls in 16 domains: 1. Application & Interface Security (4 controls) 2. Audit Assurance & Compliance (3 controls) 3. Business Continuity Management & Operational Resilience (11 controls) 4. Change Control & Configuration Management (5 controls) 5. Data Security & Information Lifecycle Management (7 controls) 6. Datacenter Security (9 controls) 7. Encryption & Key Management (4 controls) 8. Governance and Risk Management (11 controls) 9. Human Resources (11 controls)
10. Identify & Access Management (13 controls) 11. Infrastructure & Virtualization Security (13 controls) 12. Interoperability & Portability (4 controls) 13. Mobile Security (20 controls) 14. Security Incident Management, E-Discovery, & Cloud Forensics (5 controls) 15. Supply Chain Management, Transparency, and Accountability (9 controls) 16. Threat and Vulnerability Management (3 controls) The foundations of the CCM lie in the customized relationship to other industry-accepted security standards, regulations and controls frameworks. The CSA CCM strengthens existing information security control environments by emphasizing business information security control requirements, reduces and identifies consistent security threats and vulnerabilities in the cloud, provides standardized security and operational risk management, and seeks to normalize security expectations, cloud taxonomy and terminology, and security measures implemented in the cloud.1 Access to the cross-framework mapping provides security professionals with a valuable tool to guide their infrastructure migrations
to the cloud. For example, using the CCM, healthcare professionals looking to validate the security of their HIPAA data in a cloud environment can easily see that the HIPAA/HITECH act regulation 45 CFR 164.312(e)(2)(i) maps to CCM Control AIS-01, Application & Interface Security. For healthcare organizations that use the HITRUST Cloud Security Framework to audit their environments, HITRUST controls 10.b, 10.c and 10.e map
to the same CCM control, AIS-01. This cross-framework mapping function provides auditors working with industry specific frameworks a clear guide for use in evaluating the effectiveness of the security controls used to protect information assets in a cloud environment. Use of the Cloud Security Allianceâ€™s Cloud Controls Matrix by internal and external audit teams reduces the effort required to verify compliance and eliminates the need to update
existing industry specific frameworks to add cloud specific controls. The CCM is available as a free download by completing the form at this URL: https:// cloudsecurityalliance.org/artifacts/csaccm-v-3-0-1-11-12-2018-FINAL/ More information about the Cloud Security Alliance is available at: Https://cloudsecurityalliance.com REFERENCE:  https://cloudsecurityalliance.org/ working-groups/cloud-controls-matrix/#_overview
INFORMATION GOVERNANCE WORLD
CIS RELEASES NEW MOBILE CONTROLS BY BAIRD BRUESEKE
The Guide also looks at systems that administer and monitor devices, such as Enterprise Mobility Management (EMM), Mobile Device Management (MDM), Mobile Application Vetting (MAV), and Mobile Threat Defense (MTD). The CIS Mobile Companion Guide includes this check list to track implementation of the 20 controls on your mobile devices. (insert the graphic included below). We all have mobile devices. We need to adopt a security mindset and harden our devices to protect ourselves against the unique challenges of on-thego environments. The CIS Mobility Guide provides an excellent overview of how to get started with this challenge. The complete guide can be downloaded at this URL. https://www.cisecurity.org/blog/new-release-ciscontrols-mobile-companion-guide/
More than 60% of CIS Sub-Controls Apply Between 60% and 0% of the CIS Sub-Controls Apply 0%
CIS Control Title
Inventory and Control of Hardware Assets
Inventory and Control of Software Assets
3. Continuous Vulnerability Management 4.
Controlled Use of Administrative Privileges
Secure Configuration for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
Maintenance, Monitoring and Analysis of Audit Logs
7. Email and Web Browser Protections
Unmanaged – A popular model for small companies and startups, this is the most dangerous scenario to the enterprise and should be avoided, if possible. BYOD – (Bring Your Own Device) – Devices are owned by the end-user but occasionally are used for work purposes. Access from BYOD devices to organizational resources should be strictly controlled and limited. COPE – (Corporate Owned, Personally Enabled) – COPE devices work in a fashion similar to BYOD. Restrictions will be applied to the device but generally, don’t prevent most of what the user intends to do with the device. Fully managed – Devices within this deployment scenario are typically locked down and only permitted to perform business functions. This means that employees have a second device for personal use.
n March, 2019 the Center for Internet Security (CIS) released the Mobile Companion Guide to help organizations map the CIS controls and their implementation in mobile environments. In the companion guide, the focus is on a consistent approach to applying the security recommendations in both Google Android and Apple iOS environments. Factors such as “Who owns the data?” and “Who owns the device?” affect how the device should be secured. The Mobile Companion Guide explores bring your own device (BYOD), corporate-owned, personally-enabled (COPE), fully managed and unmanaged devices.
CIS ControlsTM v.7 Mobile Companion Checklist
Limitation and Control of Network Ports, Protocols, and Services
Data aRecovery Capabilities
Secure Configuration for Network Devices, such as Firewalls, Routers and Switches
Controlled Access Based on the Need to Know
Wireless Access Control
Account Monitoring and Control
Implement a Security Awareness and Training Program
Application Software Security
19. Incident Response and Management 20.
Penetration Tests and Red Team Exercises REFERENCE: http://www.cisecurity.org
Email Governance Needs? Try modern email management in the cloud with Integro Email Managerâ„˘
Value-based email governance. Retain important email. Eliminate ROT. Integro Email Managerâ„˘ (IEM) is an easy to use email governance solution for Office 365, Exchange, and Lotus Domino. Integro Email Manager helps companies govern email to reduce email retention (easing eDiscovery & reducing risk), manage high business value email, and properly classify email records.
CONTACT US AT 720.904.1611
VISIONARY INTERVIEW WITH HEIDI MAHER BY ROBERT SMALLWOOD / PHOTOGRAPHY BY NIKKI ACOSTA
Heidi Maher had a unique childhood, growing up in Iran, where her mother worked as a nurse volunteer for the U.N. When the political environment changed for the worse after the 1979 Iranian revolution, her family immigrated to the United States. During that process her family lost their life savings, so she became determined to become an attorney and fight for justice. Before entering the tech industry, Heidi was a felony prosecutor, civil litigator, an assistant state attorney general, and the public information officer for a large environmental agency. She is licensed to practice law in Texas and is admitted to the Fifth Circuit Court of Appeals. Ms. Maher then entered the tech industry, and was involved in strategy, marketing and consulting at various technology companies. She is an attorney and IG specialist who has helped hundreds of organizations move from theory to practice both from within the industry and as an external advisor. In 2015, she was named Executive Director of the Compliance, Governance, & Oversight Council (CGOC). The CGOC has published IG benchmarking studies and a thorough IG Process Maturity Model (IGPMM), which was updated in 2017 to include a greater emphasis on privacy and security. We wanted to learn more about her vision for the CGOC, and approach to IG, so we caught up with Heidi near her home in Austin, Texas. What got you interested in compliance? After a short stint abroad, I returned to work as a litigator at a law firm and the Texas Attorney Generalâ€™s office. Because of my background, eDiscovery was a logical 32
area of focus, so I moved to a company that provided litigation support. However, it was frustrating to see all the problems that occurred because customers were ignoring Information Governance (IG), the first stage of the E-Discovery Reference Model (EDRM). I spent the next few years at a large technology company as a subjectmatter expert helping customers manage and dispose of their enterprise data to reduce the downstream cost and risk associated with eDiscovery. This was the time when information entering organizations was increasing at an exponential rate and companies across the country were frantically trying to comply with rapidly developing rules and regulations. Organizations like the Sedona Conference, EDRM.net and the CGOC sprang from the need to provide some best practices to guide organizations through that difficult time. How did you get involved with the Compliance, Governance and Oversight Council? I had been aware of the CGOC for a number of years before my company partnered with PSS Atlas and its CEO, Deidre Paknad. She started the CGOC in 2004 to create a forum where practitioners could share ideas and best practices within working groups and at regional meetings. Later, I became a fan and user of the CGOC Maturity Model, one of the most widely used tools in the industry for documenting the process capabilities and maturity of an organizationâ€™s information governance program. In 2015, due to recommendations from past colleagues James Schellhase and Jake Frazier, I was brought in to lead the organization as its Executive Director.
INFORMATION GOVERNANCE WORLD
PHOTOS ON OPPOSITE PAGE PROVIDED BY HEIDI MAHER Heidi’s Scottish mother was a nurse assigned to a village in Iran, where she met Heidi’s father. Her childhood years in Iran were peaceful and easy, with pets, school and family picnics on the mountainside. After gunfire and blackouts, the family escaped to the US, where Heidi enjoyed creative and competitive outlets like the dance team, along with education and work abroad. Heidi hopes to instill the same values of education, personal improvement, and service to her son, who currently wants to be a “bone doctor.
“CGOC EVENTS ARE UNIQUE IN THAT LEGAL, RECORDS, COMPLIANCE, PRIVACY/SECURITY AND IT PROFESSIONALS ALL COME TOGETHER IN A CROSS-FUNCTIONAL WAY TO SHARE INSIGHTS AND BRAINSTORM SOLUTIONS TO COMMON BUSINESS PROBLEMS.” What priorities did you set for the organization when you became Executive Director? The value of the CGOC rests within the 3,800+ members. Whether they are highly experienced practitioners or just getting started, their shared insights and diverse industry perspectives create a knowledge base that we can use to solve complicated legal, IT and business challenges. I wanted to do a better job of harnessing that by growing membership and participation. Whether speaking at events, writing articles or contributing to whitepapers or industry tools, their collective knowledge and experience create insights and guidance for the rest of the industry. Increasing the number of events was another priority. In 34
this increasingly digital and virtual world, in-person events become even more unique and important in bringing together thought leaders and practitioners. Although there are many stakeholder-specific conferences, CGOC events are unique in that legal, records, compliance, privacy/security and IT professionals all come together in a cross-functional way to share insights and brainstorm solutions to common business problems. Since many organizations are siloed and cross-functional, analysis of common challenges can be difficult to arrange and attain. CGOC events create an atmosphere where those discussions are facilitated and best practices are learned from peers at similar organizations that have tackled the same issues.
However, discussions alone are not enough. My next priority was the IG Process Maturity Model (IGPMM). The cornerstone of the CGOC philosophy is how to move from the discussion of challenges and planning of solutions to practical implementation. As such, it became necessary to update IGPMM, to revise some old processes and add new ones to guide practitioners through the advancements in IG. So, we updated the Model to include new processes such as Cloud Computing, Data Quality, and Data Lineage. We also updated the Privacy and Data Protection Obligations section to reflect evolving data privacy concerns, including the impact of the European Union General Data Protection Regulation (GDPR) and added
INFORMATION GOVERNANCE WORLD
three additional processes relating to data security best practices: External Intrusion, Accidental Data Leakage and Insider Theft of Data. My final priority was to increase the focus on privacy. Being involved in the privacy field since 2006, it was obvious that it was going to be an increasingly complicated hurdle for all organizations. Thatâ€™s why the CGOC was providing leadership and guidance around privacy compliance long before the GDPR was implemented. What are the benefits of using the CGOC IG Process Maturity Model for assessments? The CGOC IGPMM is designed to take a novice stakeholder from 0 to 60 by suggesting cost levers to create a business case, guiding the documentation of organizational risk on a heat map and scoring your organization on each of the 22 processes through the 4 levels of maturity. 36
Top Corporate Data Protection Challenges
STAFF TRAINING & AUDITS
57% train staff on data protection compliance, with 25% doing regular training and audits.
DATA VALUE AND ORIGIN Although most of respondents understand the value of data, 41% have no system in place to determine origin and quality, and only 3% have fully automated processes with audit trails.
Only 6% feel they are fully compliant with GDPR, with most organizations concerned about the inability to demonstrate compliance and revealing their poor data disposal practices.
DATA SECURITY THREATS
When it comes to data security, 50% of respondents identify internal staff and practices as the biggest threat vs. 38% who choose external hackers.
EXECUTIVE APPETITE FOR RISK
Regarding appetite for risk, 34% of executives will sometimes let operational and cost concerns override compliance with data protection regulations.
Although 85% say fine-tuning a defensible disposal program will benefit data protection initiatives, 40% have not even started one.
For more information visit www.cgoc.com
CGOC T H E C OUNCI L
What role does Infonomics play in Information Governance? Infonomics plays a huge part in IG. Companies are coming to realize that
their data is perhaps their biggest asset. Thatâ€™s why, I believe, there are Fortune 500 companies that do a poor job of deleting their
“‘DON’T LET PERFECTION BE THE ENEMY OF GOOD.’ BREAK UP THE PROJECT INTO SMALL STEPS AND THEN… TAKE THEM.”
unnecessary data. They are afraid they might accidently remove data that still has intrinsic value. However, they should realize that a lot of worthless ROT exists, and because data is so valuable it must be managed as such, and that’s where IG comes in. What advice do you have for others trying to implement IG programs? Simple. Just start. As a wise person once said, “Don’t let perfection be the enemy of good.” Break up the project into small steps and then… take them. What special skill or hobby do you have that might surprise your colleagues? Since I no longer work in the DA’s office, I compensate by reading and listening to true crime books and podcasts. Also, though not skill or hobby, I think my colleagues
would be surprised to learn that I can get rambunctious during basketball games. What do you like most about Austin? Even though this city has grown by leaps and bounds, the character of the people has stayed the same. People respect you for who you are, not what you have or what you do. For such a large and dynamic city, it maintains that small town vibe. The only downside to the city is the brutally hot summers. What is your favorite lunch or brunch place in Austin, and why? Thai Kitchen is my go-to lunch place. It’s a little hole-in the-wall restaurant near the UT campus, and it has the best hot pot seafood and lemongrass soup. Also, you can’t go wrong with anywhere that serves Tex-Mex!
N IKKI AC O STA
MAGNETIC FOCUS PHOTOGRAPHY
I find myself being completely at home and sporting a huge grin when I am behind the lens. I’ve always had a passion for people and being able to capture pieces of my interactions with all shapes, sizes and personalities is a total dream job. I believe that every person has that one detail or factor about them that is worth doing a double take for; that special something that pulls you in. I’ve always photographed with the intention of focusing on the beauties, the layers, the colors and the vividness of every person or event I encounter. In a world so separated by many factors, I believe photography can be a medium that gathers people together and can further prove that we are all worth taking a moment for, we are all magnetic.
FACEBOOK.COM/MAGNETICFOCUSPHOTO INFORMATION GOVERNANCE WORLD
World-class Instructor-Led Classroom Training on IG with Leading IG Trainer Robert Smallwood Attend this popular classroom course held at one of the most beautiful college campuses in the world, the University of San Diego, which overlooks the Pacific Ocean. Taught by IG thought leader Robert Smallwood, the world’s leading trainer and author on IG topics, students get personal attention to ensure they grasp key IG concepts and can apply them to their work. The first day covers IG Basics including the IGP Certification Prep Crash Course, followed by two days of Advanced IG Training. The course is based on Smallwood’s groundbreaking text, Information Governance (Wiley, 2014, 2019), and also supplemental course materials.
Take advantage of this exclusive training opportunity to educate your IG team! Seating is limited, reserve yours today at IGTraining.com, or call us at 888-325-5914! “I really got a lot of out of Mr. Smallwood’s teaching style and personal attention.”
“Thank you to Robert Smallwood for providing us with so much insightful information, and the tips we will need to pass the IGP certification.”
“The 3-day training was very educational, and the small classroom environment made it even more interactive.”
—IG Manager, Top 10 U.S. Law Firm
— IG & Compliance Manager, Major Pharmaceutical Firm
—RIM Manager, Fortune 500 Corporation
Past attendees include IG professionals from major law firms, leading corporations, and large government agencies, including:
IG Training 3 Day Basic & Advanced Intensive Course
University of Miami November 19-21, 2019 (Tues-Thur) * SUPER EARLY BIRD DISCOUNT: ($300 discount) Register by May. 19, 2019 Cost: $1,395 * EARLY BIRD DISCOUNT: ($200 discount) Register by Aug. 19, 2019 Tuition Cost: $1,495
Topics Include: • • • • • • • •
Failures & Lessons Learned in IG GDPR, Big Data Impact IG Imperative IG Principles Role of Data Governance in IG IG Risk Assessments Strategic Planning for IG IG Policy Development
• • • • • • • •
IG Program Management Infonomics: The Value Side of IG IG for Legal Functions & E-discovery IG for RIM IG for IT Privacy Functions in IG IG for Email, Social, Mobile, Cloud SharePoint IG
Tuition Cost: $1,695* (Group discounts are available for 3 or more from the same company.)
Includes: Tuition, Breakfasts, Coffee Breaks, and Supplemental Materials. NOTE: You must purchase the textbook prior to class. Housing options include nearby hotels in partnership with USD.
• • • • • • • •
Digital Preservation Information Asset Registers Taxonomies & Metadata Cybersecurity in IG IG for Emerging Technologies The Role of Executive Sponsorship in IG IG Best Practices Developing Key Metrics for IG Programs
ANALYTICS & INFONOMICS CLEAN-UP CONTENT WITH CONTENT ANALYTICS TECHNOLOGIES BY JIM JUST
hared drive remediation is a crucial activity for effective Information Governance (IG). Shared drive remediation helps to lower risks and costs by significantly reducing data volumes and providing accessibility and structure to unstructured information. Today’s discussion focuses on technologies available to help with the remediation and content migration process. These products fall under the technology category of content analytics (CA) also referred to as file analytics. Classification is a key requirement for effective IG and CA—unstructured content, once tagged with proper metadata and classified, becomes structured and, therefore, findable, useable and manageable through its life cycle. Structuring shared drives using classification will move the organization a long way toward IG, but the use of content management systems/services, including properly deployed SharePoint sites, brings the greatest degree of operational effectiveness and life cycle control to achieve formal enterprise IG. The goal of shared drive remediation is to migrate cleaned-up content to a system; if a system isn’t available or the content isn’t a good fit for it, then migrating content to a shared drive structured using a functional classification is the best option. There are many CA solutions; the kinds of content, the ultimate outcomes desired, volume of content and cost will help determine the options available to your organization. Systems are not meant for one-time clean-up projects; rather, continuous assessment of new content will help 40
monitor the new folder structures to be sure content is being saved in the right place. CA systems have varying capabilities: • Metadata analysis - looks only at the file system (and/ or SharePoint) metadata (properties). All systems conduct metadata analysis and often have pricing options for metadata-only analysis. • Text analytics - further refines categorization of content, can search for personally identifiable information (PII) and other sensitive data, and identifies high-value content. • Image analysis - groups like-images using graphical pattern matching; it does not require optical character recognition (OCR). • Archive solutions - perform the above analytics but also ingest target content into their repository for ongoing classification, analysis, discovery, hold and disposition. • SharePoint - Some solutions are tightly integrated with SharePoint information architecture for bidirectional updates of taxonomies and metadata. • Additional functions - Some solutions offer e-discovery, email migration and classification term-extraction. To some degree, the solution capabilities beyond pure CA are indicative of the product origin—products that started out as e-discovery solutions have strong capabilities in that area. Others originated as CA solutions and excel at grouping, remediating and migrating content. Still others originated as archiving solutions and have expanded to encompass CA and
e-discovery capabilities. While manual analysis or Excel spreadsheets can be useful for a high-level content analysis, acting on content is a much greater challenge without a CA solution. CA solutions follow roughly the same workflow: 1. Discover content System crawls content (starting at the root specified) and ingest metadata into a data store (not necessarily a relational database). If text analysis is done, the text will be added to a full text data store. Text analysis significantly slows down the crawl; therefore, a first cut at clean-up based on metadata will yield immediate results and reduce the content that will be ingested for full text analysis. This data store is your “data lake.” 2. Cleanse Content Analyze content, group content by like attributes, match to an existing classification scheme or use the CA system to build classification terms. Remediate redundant, outdated and trivial (ROT) content and purge or quarantine it. Using just metadata, this task can be completed across very high volumes of content and across multiple repositories for broad normalization. In addition, workflow is used for human identification of content groupings that cannot be automatically classified. Most CA solutions use artificial intelligence (AI) to constantly improve classification accuracy; others require a “document corpus” to train the analysis engine on syntax concepts to improve recognition. Extracted metadata can be rationalized and validated. Another valuable analysis task identifies migration issues dependent on the target system; for example, file names or document types not supported by SharePoint, encrypted files, password protected files, undocumented file extensions, etc. These anomalies can be queued in workflow for review or quarantined prior to initiating migration activities. 3. Identify sensitive data or business-critical data
Products that leverage text analytics use regular expressions (regex) to find social security numbers, credit card numbers and other PII or to locate tags that are critical for a business, such as contracts, intellectual property, etc. Some systems will leverage outside data sources to validate extracted data—e.g. a regular expression would be used to search for “contract number” pattern in the text. If a candidate is found, the value will be looked up against a database of valid contract numbers 4. Migration of content Once you have clean, classified content, it can be migrated, using business rules and considering IG policies, to a new, properly classified shared drive, an enterprise content management (ECM) or content services solution, SharePoint site, or another repository. Content that is questionable can be queued in workflow for human analysis, and content with sensitive data can be migrated to quarantine, waiting for further analysis and action. 5. Content rationalization Now that content is clean, categorized and has validated metadata, it can be further analyzed to extract business data or be reorganized to meet business needs (mergers and acquisitions, divestiture, discovery, etc.).
5. Ongoing governance It is critical to monitor and maintain IG rules going forward to avoid facing the same mess a year or two down the road. CA systems offer various ways of automating classification tasks or monitoring repositories for compliance with the new taxonomies. An example of the data visualization capabilities of these systems are shown in this dashboard graphic (above)— typical of all of the CA systems. It has no doubt become obvious that there are many considerations when cleaning up content and migrating it. CA tools, fortunately, formalize and automate the application of most business rules and IG policies. They manage content work processes to effect proper content groupings within a formal classification structure. For more information on CA issues, efficient information organization, information governance, life cycle management and ongoing control, visit www.imergeconsult.com.
JIM JUST IS A PARTNER WITH IMERGE CONSULTING, INC., WITH OVER 20 YEARS’ EXPERIENCE IN BUSINESS PROCESS REDESIGN, DOCUMENT MANAGEMENT TECHNOLOGIES, BUSINESS PROCESS MANAGEMENT AND RECORDS AND INFORMATION MANAGEMENT. CONTACT HIM AT JAMES.JUST@IMERGECONSULT.COM OR FOLLOW HIM ON TWITTER @JAMESJUST10 OR CALL HIM AT 608.239.8282.
INFORMATION GOVERNANCE WORLD
ANALYTICS & INFONOMICS
KICK START YOUR IG PROGRAM WITH CONTENT CLEANUP PRACTICAL ADVICE ON SHARED DRIVE REMEDIATION BY BRIAN TUEMMLER | PHOTO BY LILLI GARCIA (LILLIPOPART.COM)
orporate and government entities continue to maintain the vast majority of their information as unstructured content. All the new privacy regulations are shining a lot of light on PII as structured data, but the unstructured office content is still where we document decisions, explore brilliant ideas, establish specifications, solidify agreements, and communicate with our most valuable assets—our customers. These locations are also where we audit call center audio, investigate fraud, manage events, make backups, and test new websites. They are different in nature than what one could or should put into an enterprise content management (ECM) system. They are also where Christmas party photos are shared, drafts are abandoned, mistakes are made, and temporary holding places are kept forever. Want to eliminate shared drives? Then you need to think long and hard about all the activities we use network (shared) drives for—it is not just where we create documents and presentations. We can, however, focus on cleaning them in a way that reduces risk, increases productivity, and helps legal and compliance response times. Organizations often think about how to clean up their content, but few know how to get started. Not all content is valuable (or “sparks joy” as Marie Kondo says) in the same way for everyone in the organization. It is rare that organizations clean up content for the sole purpose of cleaning up. The effort is often a first step in more
extensive, more strategic, Information Governance program, including: • Records management • Access requests for GDPR, CCPA • ECM site development or migrating to the cloud • Minimizing eDiscovery costs • Preparing for mergers or divestitures • Consolidating data centers GO AHEAD, BOIL THE LAKE Numerous organizations have tried various levels of content cleanup; some manual and some automated; some with success while some could never muster the approvals to delete anything. Here are my five suggestions for optimizing your cleanup process: 1. Build an indexed data lake and figure out priorities. These programs require that you have a comprehensive view of your unstructured data. How can you manage your information if you don’t know what you have? Think of an indexed data lake like your phone’s map app; it allows you granularity, selectable details, and is highly interactive. Data lakes exist for similar reasons, but they are limited in the content you can store in the lake. Indexing all content into a lake may not be realistic, but the more content you can get under control, the more of the above programs you can undertake, and the more data— and risk—you can minimize. 2. Before you delete anything, preserve legal hold content. Check to see if your data lake indexing software credibly works to preserve litigation content. 3. Act upon content in bulk. With a
policy in place that states what you can and cannot store on network drives, you can then delete all temporary files, drafts, duplicates, Christmas photos, old versions, obsolete software, and expired records, without needing approvals before you press the delete button. Further, consider working with business units and applying access controls to files that are widely accessible by all users on the network, specifically files that contain PII. 4. Put things away. If you find databases, applications, utilities, or web content, consider that they require different access, performance, retention, and most importantly, security than most of your other content. A cleanup process should include putting content where it can be protected well and perform efficiently. Also, lock down files that should be kept secure based on your existing security classification strategy. 5. Evaluate the larger governance opportunities. If you are going to have a full view into all data, you should consider classifying records, personal or regulatory responsive data, security-centric data, and so on, not just garbage “ROT” files. Information privacy, security, and compliance, from an Information Governance perspective, is a big driver for cleaning content, and an excellent way to garner support. Approach it like the strategic catalyst it is. BRIAN TUEMMLER IS AN INFORMATION GOVERNANCE SOLUTION MANAGER AT NUIX AND CAN BE REACHED AT BRIAN. TUEMMLER@NUIX.COM
Organizations often think about how to clean up their content, but few know how to get started.”
INFORMATION GOVERNANCE WORLD
REGULATORY COMPLIANCE LAW & ORDER INTERVIEW WITH JOHN ISAZA, ESQ.
ohn Isaza, Esq., FAI heads the Information Governance & Records Management practice at Rimon Law Firm in Orange County, California, and is CEO and Co-founder of information Governance Solutions LLC. Mr. Isaza is internationally recognized in the fields of IG, as well as RIM. He is one of the country’s foremost experts on RIM issues, electronic discovery, and legal holds. He has developed IG and records retention programs for some of the most highly-regulated Fortune 100 companies, including related regulatory research opinions. His clients range from the Fortune 100 to startups. Mr. Isaza is also an expert in social media law. He is the current chair of the ABA’s Social Media Law Subcommittee of the Business Law Section of the American Bar Association. In this capacity he is a contributing author and Editor of the book, A Handbook on Global Social Media Law for the Business Lawyer, published by the ABA. Mr. Isaza is a frequent lecturer on the issue, and he advises clients on the difficult issues in navigating a social media presence. Prior to joining Rimon, Mr. Isaza was co-founder and Partner of Howett Isaza Law Group, a boutique law firm specializing in corporate compliance matters, complex business, real estate, construction, employment and environmental litigation. Immediately prior to that, he served as in-house General Counsel to a publicly traded medical device manufacturer, now owned by Abbott Laboratories. Mr. Isaza rounds out his previous experience with over a decade as a trial lawyer specializing in business, environmental contamination, products liability and construction defects. During that time, he served as Arbitrator for the Los Angeles Superior Court. Mr. Isaza attended Boston College Law School, where he served as Editor of the International Law Review. In 1989, he served as Judicial Extern in the United States District Court of Massachusetts, Honorable David S. Nelson. Mr. Isaza is a highly sought-after speaker in the ARMA, AIIM, ABA, American Bankers and IT compliance circuits. Mr. Isaza serves on various committees of the ABA, including the Cyberspace Law Committee and the E-Discovery and Digital Evidence Committee; he
John Isaza, Esq.
is a contributing author to the ABA’s Internet Law 2nd Edition, as well as ARMA’s GARP® Metrics & Audit Guide; he is past President of the Greater Los Angeles ARMA Chapter and of the Hispanic Bar Association of Orange County; he served on the Board of Directors of ARMA International, the Orange County Bar Association, and he currently serves on the Board of Orange County’s Public Law Center. Mr. Isaza co-authored a book entitled, 7 Steps for Legal Holds of ESI & Other Documents released in July 2009 and was a contributing author in 2012 to the ABA’s Internet Law for Business Lawyers, 2nd Edition. He is the 2008 recipient of ARMA’s prestigious Britt Literary Award, and his writings have been featured in The American Lawyer’s Law.com. In 2011, Mr. Isaza was named the 45th Fellow of ARMA International (the “FAI” designation after his name) - the highest honor bestowed by the professional association of records and information managers. We spoke with John at his Laguna Beach home:
IG World: Where did you grow up? Go to school? JI: I grew up all over the place – Colombia where I was born, Puerto Rico where I attended elementary school, and the U.S., mainly in Miami Beach, Florida through my teen years into adulthood. From Miami Beach High, I attended the University of Florida, and then Boston College for law school. What are some of your favorite childhood memories? Most of my childhood memories are from my years living in Miami Beach. I was always so proud to have a job, from working as a shoe shine boy to working as a valet at a hotel, and even as a water ski instructor for three summers my freshman through junior years in high school. When not working, I enjoyed after school activities with my friends playing football and riding our bikes for hours at a time with no destination in mind. What a treat to be doing something without a destination or goal in mind. As a side note, and at the risk of sounding like a total geek, I really enjoyed my years in the Speech and Debate Team from high school through college. I was not a naturally gifted speaker by any stretch, but while enjoying it I picked up a tip or two on how to engage an audience. What sparked your interest in the law? I wish I could say it was from watching episodes of Perry Mason or reading To Kill a Mockingbird. The truth is I was an immigrant, and I wanted to take full advantage of the opportunities this great adoptive country of mine had to offer. So it was either law school or medical school, and frankly I was not smart enough for medical school. That said, once I entered law school, I found a community that was really keen on making the world a better place. I learned in law school that you can do a lot of good with the skill set we were privileged to receive from the training.
When you combine AI to identify the requirements of what you absolutely have to keep on file, I honestly feel that we are closer than ever to that elusive silver bullet to automate data retention.” What influenced your decision to co-found your software company, Information Governance Solutions? After law school, I found myself shackled into a miserable existence as a trial lawyer. I hated having to get up every morning to gear up for a fight. That was just not my personality. After my 10-year stint as a litigator, I found a new passion helping major corporations build defensible IG programs, but the research and retention schedule process was cumbersome, inefficient and very expensive. We needed a better way. I thought if RIM had the tools to build and maintain a records retention program, any company could be confident their schedule would be defensible, cost-effective, and scaled to their size and complexity. This is when I got together with my co-founder, Todd Cawthron, to build a modern and efficient approach to the process. Although I did not take the traditional route to doing good with my law training such as going into politics or working for a non-profit, I found that creating a software company allows me to work with people whose company I enjoy while allowing us to solve problems in the RIM profession. I take a lot of pride in keeping people employed while treating each and every employee as a partner in our journey. What are IGS’ key competitive advantages you offer customers? Our flagship product is VIRGO, a software-as-a-service for managing retention schedules and global IG
requirements, including not only retention but privacy, location, format, storage, language and statutes of limitations. We stand out from the rest primarily because of our depth across all industries and across over 200 global jurisdictions. No other product on the market has that kind of reach. Second, we are currently the only product on the market that integrates into O365 and we are getting ready to roll out our first integration into OpenText. This functionality is a game changer for our customers. What changes do you see coming in the RIM and IG space over the next 5-10 years? I foresee new opportunities from the use of artificial intelligence (AI). With Virgo, for instance, we are working to leverage the use of AI to not only procure the research needed to support IG programs, but also to help automate other spokes of the IG wheel. When you combine AI to identify the requirements of what you absolutely have to keep on file, I honestly feel that we are closer than ever to that elusive silver bullet to automate data retention. We hear you are close friends with attorney John Jablonski, who was your co-author for a book on legal holds. You two live on opposite ends of the country. Can you tell us how your friendship developed? Oh yes. John and I met at an ARMA Conference in 2007. We had a mutual interest in legal holds. As you may recall, legal holds were all INFORMATION GOVERNANCE WORLD
REGULATORY COMPLIANCE how the mind of such a talented man in the sciences and arts works. Finally, from more recent times, I would love to sit down for a chat with Steve Jobs, as he may go down in history as having similar impact to DaVinci and I would be curious to learn how he tapped into his instincts without being shackled with current norms.
John Isaza, Esq. (pictured left) with John Jablonski, Esq.
the rage after the initial passage of the Revised Federal Rules of Civil Procedure in 2006. Unfortunately, the law came with little guidance and the case law was all over the place. We set out to invent an easy approach to legal holds, which resulted in, 7 Steps for Legal Holds of ESI and Other Documents, published in 2009. During the process, we became good friends, to the point where John asked me to officiate his wedding and then he returned the favor by officiating mine in 2015. John has an incredible work ethic, and I really respect that. If you could have dinner with three people, living or dead who would you choose, and why? For some reason this is the hardest question to answer, as I love to devour history books. Thankfully, many biographies have given me insight into the minds of many of the leaders I respect. However, there are a couple who remain an enigma. For instance, Jesus Christ has been chronicled by many, but I would love to get his views on human foibles from him as a flawed human and not as a saint. From ancient times to the Renaissance, I would also love to speak to Leonardo DaVinci just to see 46
What is your favorite sports team and why? I bleed Orange and Blue for the University of Florida Gators. You asked earlier about fond memories from my youth, and those days watching the Gators on the football field, basketball court, track, pool, or even the gymnastics floor are truly a happy place for me. Go Gators! What hobby or special talent do you have that might surprise your colleagues? I came close to moving to Broadway to pursue a career in singing. I even had a talent agent. However, I got cold feet, as I had too many student loans to pay. Regrettably, during a surgery a few years back my vocal cords were damaged so I cannot hit the high notes (or many notes for that matter) that I used to hit with ease. What do you like most about living in SoCal? Least? It is hard to argue with the gorgeous weather, and the scenery in Laguna Beach where I live is truly paradise. That said, the price for paradise is sharing it with the millions of others who want to enjoy it as well, so traffic is horrible. I truly despise traffic, so I work from home to avoid getting on those congested roads. Been there, done that. JOHN ISAZA, ESQ., FAI HEADS THE INFORMATION GOVERNANCE & RECORDS MANAGEMENT PRACTICE AT RIMON LAW FIRM IN ORANGE COUNTY, CALIFORNIA, AND IS CEO AND CO-FOUNDER OF INFORMATION GOVERNANCE SOLUTIONS LLC. MR. ISAZA IS INTERNATIONALLY RECOGNIZED IN THE FIELDS OF IG, AS WELL AS RIM. HE IS ONE OF THE COUNTRY’S FOREMOST EXPERTS ON RIM ISSUES. HE IS AT: JOHN.ISAZA@RIMONLAW.COM
ELON MUSK: MORE LEGAL WOES? In our Fall, 2018 debut issue, IG World noted that Elon Musk’s tweets regarding possibly taking the company private likely violated SEC compliance regulations. In our last issue we reported that Musk was fined $20 million, forced to resign as Chairman, and add new independent directors to the board. Now, it is clear that Elon Musk continues to thumb his nose at the SEC’s attempts to reign in his tweets. In February, Wired reported that the SEC had filed a motion requesting that Musk be held in Contempt of Court. On February 19th Musk tweeted that, “Tesla made 0 cars in 2011, but will make around 500k in 2019.” This tweet immediately alarmed the Tesla legal team. Four hours later Musk clarified his statement when he tweeted, “Meant to say annualized production rate at the end of 2019 probably around 500k, i.e., 10k cars/ week. Deliveries for the year still estimated to be around 400k.” However, because the first tweet was not “pre-approved” by Tesla’s legal team as required in the earlier legal settlement, the SEC is proceeding with the Contempt of Court filing. Given the strong evidence Musk violated the settlement agreement, it seems likely that the court will issue more fines, attempt to curb his public statements over social media, and possibly ban him from serving as an officer or a director of Tesla.
INTERVIEW WITH SONIA LUNA, CEO AND PRESIDENT AT AVIVA SPECTRUM | PHOTOS BY CHRISTIAN YI
onia Luna is the founder, CEO and President at Aviva Spectrum. Winner of the 2018 California Cannabis Awards as "Best Accountant," Mrs. Luna has more than 18 years of compliance, internal and external audit experience. In 2014 she was appointed by SEC Chair Mary Jo White to the Advisory Committee on Smaller & Emerging Growth Companies. She is an elected member of the Board of Governors for the Institute of Internal Auditors (IIA) and worked in Big 4 environments such as EY and Arthur Andersen. Sonia is a known expert in compliance matters for public companies and proven leader in the internal audit community. She has worked instrumentally on several of the audit projects issued by the Office of Inspector General of Build-LACCD. She has handled both compliance-related matters from procurement analysis, fair wage analysis, bidding/proposal processes for Build-LACCD as well as fraud investigations.
INFORMATION GOVERNANCE WORLD
REGULATORY COMPLIANCE We caught up with Sonia at her office in Los Angeles: IG World: Where did you grow up? Go to school? SL: I grew up in a small area in the San Fernando Valley. It was called Sepulveda back then but today it's now known as North Hills. I attended a small Catholic school called Saint Genevieve, located in Panorama City. It was a quaint school which taught me discipline, hard work and ethics. Every day started out with prayer and the pledge of allegiance. I was there throughout my elementary and high school. I later studied accounting at Cal State Northridge. What activities did you most enjoy as a child? My favorite activity as a child was writing my bike around the neighborhood. This was back in the day where parents would allow their kids to play freely with other kids without adult supervision. I was outside right after I completed my homework. I rode my bike with other kids until dinner time. In school I played basketball and softball. I was very fortunate enough to have excelled in both sports and became captain of my high school teams. I was lucky enough to have a great coach in high school that taught me a lot about focus
and determination. His name was Jack Sunderlick. Our school didn’t have super star athletes. We were small in size and talent. Sunderlick was very instrumental in helping me relieve stress from my home life, school and all those things that come with being a teenager. Sunderlick knew the only way we would win games would be if we were the best endurance players on the field. During our breaks we still trained and went to several tournaments so our legs would stay fresh during the regular season. It was a strategy that paid off in the long run. We won several games and even a few championship games during my time there. When did you first become interested in becoming an accounting professional, and why? I was a sophomore when I attended my first general accounting class. It was there that the professor notice that I had a talent and understanding accounting concepts. He encouraged me to study more in accounting and that as a profession the accounting firms were opening up more and more positions to women. I later took other courses in accounting and enjoy them. I was lucky enough to connect with one of my elementary school friends, Ronette. She was studying accounting courses as well. She had encouraged me to get involved with the Accounting
Association on campus. When I joined, I connected with other accounting students and was able to work parttime and volunteer with my peers. I was fortunate enough to understand the importance of getting good grades, practicing interview questions with my peers and also planning out how we’d pass the CPA exam. It had to be an uphill climb to break out as an entrepreneur. What was the driving reason you decided to start your own company? And what have been the biggest challenges? I was a manager at Ernst & Young and noticed that right after SarbanesOxley was passed several of my large client struggled to understand and implement this new set of regulations. It was then that I wrote down my pros and cons of going out on my own. I thought that even if I failed, I could come back to Ernst & Young. I was even willing to take a demotion if I failed because that was going to be my back-up plan. The biggest challenge I faced was getting new clients and learning the art of selling services. I realized quickly that EY has a great brand and therefore it was very easy to get a new client comfortable that you're going to do a great job. But without a brand you're truly just selling yourself. It felt as if I was constantly going on a job interview over and over again. But I learned to be diligent, passionate and authentic every time I met with a new perspective client. That's what really allowed me to sell my services. Clients have found me to be practical thorough and very technical. My passion for automating accounting and compliance gives my clients the comfort that I will create a sustainable compliance system. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) provides frameworks and guidance on enterprise risk management, internal control and fraud deterrence. How do you utilize COSO frameworks in your consulting
practice? And how do clients benefit? Currently our consulting practice has two types of clients. Our first set of clients are publicly traded companies that require an internal control audit, due to Sarbanes-Oxley Act (“SOX”). All of our publicly listed clients are using the COSO framework as their baseline for their internal control audit. However, our second set of clients are privately held companies, some of which are in the cannabis industry. COSO has guidance for smaller companies and we leverage that as a baseline for our private and small emerging companies. The cannabis industry is growing so quickly and changing at a rapid rate. Because of this rapid growth, it's a true challenge identifying the right internal control structure for our cannabis clients. For example, most cannabis companies do not have a bank account. Therefore, cash controls are one of the most important areas we focus on when providing consulting services. What changes or updates has COSO made in recent years, and how does this affect the industry’s approach to enterprise risk management (ERM)? COSO recently updated its ERM framework. Most of the updates pertain to information technology security controls and strategic objective alignment. Because IT changes constantly, the ERM
updated framework provides more guidance on how to manage these changes, while ensuring they are secure for both the company and its customers. Regarding the updated pertaining to strategic alignment, ERM updated its guidance to mention the importance of the management team to stay on track when allocating its resources. You are a leading cannabis compliance advisor. What unique challenges to clients face in cannabis compliance in California? There are several challenges facing California cannabis companies today. Our firm segments compliance into two main areas. The first is state level compliance. The second are federal compliance matters. Our clients are growing so fast that followingup and monitoring all compliance items is not only complicated but also there’s a lack of having a focused and dedicated person on the team to monitor all the compliance issues they face on a daily basis. Your business is certified with the National Gay & Lesbian Chamber of Commerce, and you are a vocal supporter of LGBTQ issues. How has this impacted your clients’ view of your firm? Has it been good for business? My clients rarely ask about my certification status, whether that’s from NGLCC or WBENC. I honestly feel in Los Angeles in particular
we have turned a big corner and my client’s hire me because we are great at what we do. Having the certifications from these agencies is more like “icing on the cake.” I have had only one major client that upon hiring us they tracked their spend on our firm because we were certified by NGLCC. Therefore, to only have one client track their spend on us in 15 years speaks volumes. Our clients want to hire us because we’re one of the leading experts in the cannabis field and we talk a great deal about streamlining their compliance costs in accounting and taxes. Which historical figure so you most identify with, and why? Emilia Earhart is a woman I identify with lately. She embodies a spirit of creating her own course in life. Having left EY so early in my career and just leaving it up to God to help me along the way was both scary but also liberating. Now I’m on the same path venturing out to cannabis clients that my buddies at EY can’t service. Once it becomes federally legal, which may come sooner than what most people think, then they will say I was a true thought leader because I jumped into the space without hesitation and charting my own course in this industry. What is your idea of perfect happiness? My idea of perfect happiness, is walking my kids to school, hiking with my family and helping my clients grow. What do you like most about living in L.A.? What is your favorite lunch place? Los Angeles has the best weather and I try to take advantage of it every day by walking places, going to hiking trails and visiting the beach. My favorite business lunch spot is located in Culver City called Café Vida. They have delicious vegan dishes that would take me hours to prepare at home. I have taken several of my clients and referrals to this spot and they all seem to love it. It’s a hidden gem in Culver City. INFORMATION GOVERNANCE WORLD
LEGAL & eDISCOVERY A.I. GOVERNANCE INTERVIEW WITH NICOLAS ECONOMOU
icolas Economou is the chief executive of H5, a legal automation provider. He was a pioneer in advancing the application of artificial intelligence (AI) in legal systems and in advocating norms for its governance. He chairs the Law Committees of the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems and of the Global Governance of AI Roundtable hosted in Dubai as part of the annual World Government Summit. He leads The Future Society’s Law and Society Initiative and is also a member of the Council on Extended Intelligence (CXI), a joint initiative of the MIT Media Lab and IEEESA. Nicolas has been featured in Forbes magazine, and has spoken on issues pertaining to AI and its governance at a wide variety of conferences and organizations, including the Spring Meetings of the International Monetary Fund (IMF), UNESCO, UN University, the World Web Forum, Harvard and Stanford Law Schools, and Renmin University of China. Nicolas was a member of the Law and Judiciary policy committee for Barack Obama’s first presidential campaign. Trained in political science at the Graduate Institute of International Studies of the University of Geneva (Switzerland), he earned his MBA from the Wharton School of Business, and chose to forgo completion of his MPA at Harvard’s Kennedy School in order to co-found H5. Where did you grow up? Go to school? As a diplomat’s son, I grew up in several countries, including Germany, Greece, Iran, and The Netherlands– where I graduated from high school. I went to university in Switzerland and the United States. What subjects most interested you in your university studies? Public international law. Who was your favorite teacher, and why? My high school history teacher in The Hague. He offered me an exciting, unexpected leadership opportunity at an age where a mighty tempest of synaptic confusion was rampaging in my head. It made a difference in my life. What sparked your interest in Artificial Intelligence and the law?
It reflects my professional and life trajectories. Nothing gives you an appreciation for the rule of law like experiencing its complete breakdown, as I did while working in Zaire or hustling out of Conakry, Guinea, during a chaotic attempted coup in the mid-‘90s. With respect to AI, as an entrepreneur I am convinced that it offers tantalizing opportunities to advance functions of the law and values that animate it, but that it also entails the dystopian risk of dehumanizing the legal system. Law and technology increasingly influence each other in a process of co-production. It is a fascinating time to work at that intersection. With respect to AI, as an entrepreneur I am convinced that it offers tantalizing opportunities to advance the functions of the law and the values that animate it. However, it also entails the dystopian risk of dehumanizing the legal system. Law and technology increasingly influence each other in a process of co-production. What fueled your decision to co-found H5? The IP, which was a novel way to replicate and automate complex human judgments. It was clear, at the dawn of the age of Big Data, that there would be considerable need for that capability in domains ranging from litigation and investigations to compliance. I am proud that H5 is regarded as a pioneer in the field. Entrepreneurship in Silicon Valley was also an appealing adventure. How does H5 assist clients, and what are your firm’s key competitive advantages? With respect to data preservation or compliance, we partner with our clients to help them find the information they need, within (primarily) their unstructured data. For example, identifying PII or finding sensitive records when retiring legacy data systems and/or migrating to the 48.7% cloud. With respect to litigation and investigations, our clients rely on us to help them respond effectively and efficiently to production requests, and, more importantly, to find the key documents they need to win their cases. Our competitive advantage is our search and data analysis expertise, which I believe our clients would tell you is unique. We combine experts in linguistics, data analytics, computer science, and statistics with scientifically designed processes and proprietary technologies. This combination allows us to help our clients meet document review,
key-document identification, data analytics, and compliance tasks quantifiably better, faster, and more cost-effectively than any alternative.
Governance of AI is a major issue going forward. What insights and caveats can you share in that regard? It is crucial to take an institutional view when it comes to AI governance, in particular in the law. Absent from most AI-and-the-Law dialogues is the key question: “Why should we, as citizens, trust the adoption of AI in the legal system?” In my view, trustworthy adoption of AI in the law—and in corporate or law firm settings for that matter—rests on the successful operationalization of four principles, promulgated by the IEEE Global Initiative on Ethics of Autonomous and Intelligent Systems. They are: Evidence of effectiveness (does the AI work in the specific use case?); Operator competence (what makes an operator of AI, in important legal processes, competent to use AI effectively?); Accountability (can responsibility be apportioned if something goes wrong?); and Transparency (can the appropriate stakeholders obtain access to the appropriate information in appropriate circumstances?). What are some future developments and applications for AI that might be 5-10 years out? 25 years? Over the next decade or two, absent fundamentally transforming innovation, AI will substantially improve the many current “vertical” applications, but will not yet enable solutions that require versatile, human-like general intelligence. In the near future, in Information Governance in particular, the most promising applications are in data risk-management. Imagine being able to rely on intelligent machines to give compliance officers or outside counsel an e-tap on the shoulder to alert them to potentially improper activity. Scientifically designed AIenabled processes already enable this today, but I expect that it will increasingly become a generalized application and best practice.
What hobby or special talent do you have that might surprise your colleagues? I was a capable recreational off-road motorcycle rider until a spectacularly indecorous face-plant enlightened me to the availability of other pastimes. What do you like most about living in New York City? I felt immediately at home here. It is this global metropolis that lives up to all its cinematic clichés with gusto, but where daily life is at human scale. There are many small neighborhoods and walkable streets, public parks, and secret gardens. Above all, there is a palpable sentiment of mutual
acceptance and desire for harmonious “living together” among so many diverse communities. What is your favorite NYC breakfast or dinner spot? And why? Morning coffee at Arcade Bakery, a hidden gem with the best croissants in the city. After-show dinner at Frenchette over chicken for two with Robuchonstyle mashed potatoes. Virgil’s for the best pulled-pork sandwich and worst cocktails in midtown Manhattan. Brunch at home for the finest Eggs Benedict in the Five Boroughs. NICOLAS ECONOMOU IS THE CHIEF EXECUTIVE OF H5, AND CAN BE REACHED AT NECONOMOU@H5.COM
INFORMATION GOVERNANCE WORLD
RECORDS & INFORMATION MANAGEMENT
CREATING A SUSTAINABLE RIM PROGRAM – FACT OR FICTION? DOES AN ENTERPRISE RECORDS & INFORMATION MANAGEMENT PROGRAM REALLY EXIST? BY FRED DIERS, CRM, FAI
here are many articles, webinars, educational seminars, and champions professing the need for, and benefits of, a compliant Records and Information Management (RIM) program. ARMA International even offers a measurement tool based on the Generally Accepted Recordkeeping Principles® that enables RIM and IG professionals to assess the maturity of their organizations’ RIM programs so they can identify and foster needed improvements. Despite all of this education, promotion, and internal RIM champions, there are no sustainable, functioning, enterprise-wide RIM programs setting internal standards and rules that personnel are required to follow—period! THE STATE OF RIM PROGRAMS RIM professionals may take exception to the above statement. It may depend on if a RIM professional works in the public sector or private industry. Many will say that their organizations have RIM policies and procedures that are available to all employees. Others may argue that they have annual information disposition days where personnel clean up their work areas and dispose of information. Still, other RIM program champions may promote their programs as compliant and risk-avoidant to their executives or board. If these statements are true, why do so many organizations have:
• Outdated IG policies and RIM procedures • Records Retention Schedules (RRS) that do not accurately reflect the organization’s structure • RRSs that do not accurately classify the information they create, distribute, and retain • Personnel who know little or nothing about IG policies and RIM Procedures • Personnel who know about policies and procedures but believe they apply to paper records No continuous education or staff training on their IG policies and RIM procedures • No auditing to ensure up-to-date program sustainable compliance (very important!) Some may argue that these conditions are not representative of most organizations, that most RIM programs are working to the satisfaction of management. But, the on-going demand for experienced RIM professionals and consultants to update IG policies and RIM procedures while automating RIM processes refutes that argument. OBSTACLES TO EFFECTIVE IG/RIM PROGRAMS Reasons for poor IG/RIM program implementation and sustainability are: • Changes in management structure and loss of the program champion
• Lack of staff accountability • Complicated IG Policies and RIM Procedures, including the records retention guidelines • Lack of management support, which leads to lack of funding for IG and/or RIM programs • Enterprise content management tools that are not used as enterprise solutions or repositories • No enterprise taxonomy standardizing terminology, indexing, media, or ownership • An out-of-sight, out-of-mind mentality (only a legal issue) • Lack of understanding what an • IG or RIM program is and the benefits it provides • Lack of or ineffective RIM training • No RIM training or oversight during various points of the employee lifecycle • Employees’ inherent resistance to change RESISTANCE TO CHANGE IS MAJOR FACTOR
The final listed item is the main reason organizations are struggling to implement effective enterprise-wide RIM programs. Resistance to change is especially evident in managers who only see disrupting their staff ’s work routines with programs they believe contribute little to the financial bottom line or their function’s goals. The result of this resistance to change is clearly demonstrated when there are: • No enforcement or compliance to management-approved RIM policies and procedures • No compliance auditing of how an organization’s functions and departments are implementing policies • No coordination of the organization’s silos of compliance • No transparency of how the RIM program operates, or policies implemented • No senior management or executive support awareness or prioritization for a RIM program
HOW TO OVERCOME RESISTANCE Focusing on communication, education, and careful technology deployment will help personnel make the changes necessary for implementing and sustaining an effective RIM program. Communicate: From the Top Down Minimizing resistance starts with communication from the top executive down the hierarchy that constantly and consistently reinforces compliance with IG policies, and emphasizes that RIM procedures are mandatory. This will dispel staff fears that management will not accept them destroying information in accordance with the retention schedule resulting in consequences if they do; these fears may be causing staff to ignore IG policies and retain information “just in case” management needs it. Educate Senior Management Senior management must understand the RIM program’s purpose and INFORMATION GOVERNANCE WORLD
RECORDS & INFORMATION MANAGEMENT benefits—that it is not just about e-discovery or legal holds, but it also drives standards that: • Enable authorized personnel to access complete and accurate information easily • Reduce information volumes • Instill confidence in information disposition • Minimize legal and operational risks • Ensures information privacy concerns • Explain how consistent and quality data can improve work flow. Senior management must also understand from the conception of the program: • IG policies and RIM procedures are corporate standards that are not open to interpretation once approved by executives, and support for these standards must be present at all levels. • The IG policies and RIM procedures are living documents and subjected to annual update and review, or when major organizational change occurs. • Implementing RIM procedures related to the policies and retention schedule will result in changes to how staff process and handle information, from its creation through disposition. The gravity of the change can be diminished by an ongoing resource commitment, including: – An electronic tool to assist users in creating, sharing, and storing information assets – A single (or virtual) repository for final versioning of corporate documents – Effective staff education and “town hall” meetings where personnel have input into the design of policy-driven standards and rules – Continuous user assistance – Audits to test the effectiveness of and compliance with IG Policies (very important!) 54
PARTNER WITH IT Introducing new technology often creates resistance to change. An IT department that is eager to respond to user requests for new applications may introduce software without clear rules for their use or deployment. These “tools” are problem-specific rather than an enterprise-wide solution, leaving users to set up, index, and control e-mail and shared drives with no standards. These actions allow users to develop poor information-processing habits that affect their compliance with IG policies and RIM procedures. It is then necessary to change user behavior, and managers may opt to avoid this effort rather than disturb the status quo. To prevent these bad habits, and minimize the need for changing user behavior, IT must partner with RIM to ensure that the design of new applications or document repositories conforms to IG policy, RIM taxonomy, and the retention schedule. Bear in mind, the program standards and rules come first, not the technology. ELEMENTS OF AN EFFECTIVE RIM PROGRAM An enterprise RIM program’s scope must be the lifecycle processing of the organization’s information assets. This requires: • IG policies, strategic in nature, that support management objectives and corporate culture. • Mandated adherence to IG policies, in the same way that adherence to other corporate policies is mandated and compliance is monitored and enforced. • An enterprise automated tool that has policy and retention standards and rules imbedded in its administrative tables and is accessible throughout the organization for users to create, capture, share, distribute, retain, and dispose of digital and physical
Introducing new technology often creates resistance to change.” information. • A retention schedule that is easy to use and has realistic retention values. The day of 100-page retention schedules is over; big bucket categorization is required in today’s digital world. • Annual updates of IG policies and RIM procedures. • Ongoing user support and education to reduce resistance and help ensure acceptance and compliance with the IG policies. SELL THE PROGRAM Change is inevitable. The roles RIM programs play are dependent on management commitment and their understanding of what elements a sustainable program comprises. Ensuring senior management understands the operational, financial, technical, and managerial feasibility when selling a new program is crucial. If the RIM professional can strategically sell these elements, change is manageable rather than a roadblock to the program’s success. The search for an effective enterprise RIM program goes on and on... FRED V. DIERS, CRM FAI, HAS MORE THAN 45 YEARS OF RIM EXPERIENCE WITH MULTI-NATIONAL ORGANIZATIONS. HE HAS SUCCESSFULLY IMPLEMENTED SUSTAINABLE RIM PROGRAMS ON A GLOBAL SCALE FOR COMPANIES OPERATING IN MORE THAN 80 COUNTRIES. A SIGNIFICANT COMPONENT INVOLVES DEVELOPING BUSINESS RULES PERTAINING TO INFORMATION LIFECYCLE, INCLUDING INDEXING, METADATA, AND RETENTION STANDARDS. DIERS IS A PAST PRESIDENT OF ARMA INTERNATIONAL, AN EMMETT LEAHY AWARD AND A BRITT LITERARY AWARD RECIPIENT, AND A WORLDWIDE LECTURER ON RIM AND IG TOPICS. HE CAN BE CONTACTED AT FDIERS@IMERGECONSULT.COM.
PRIA PUBLISHES BEST PRACTICES FOR LAND RECORDS MANAGEMENT SYSTEMS RALEIGH, N.C. –The Property Records Industry Association (PRIA) has approved and published a paper on Land Records Management Systems (LRMS) Best Practices. This publication, four years in development, is intended to help recorders evaluate their current LRMS, prepare an RFP for a new system and for LRMS vendors to understand the full scope of the recorders’ needs. An LRMS provides a mission critical connection between government and business sectors in the property records industry. These software products provide solutions to many technical, regulatory and statutory requirements that recording jurisdictions face in the United States. LRMS products are vital for recording jurisdictions to operate efficiently and effectively. Larry Burtness, customer operations manager, Figure Technologies, president of PRIA, and one of the cochairs for this project, explains, “This PRIA work product provides recording jurisdictions with information that may be helpful for evaluating and making informed decisions about LRMS solutions. It also provides a comprehensive set of best practices for the LRMS
vendors to consider when developing or implementing products.” Karl Trottnow, Simplifile, also a co-chair for this project concurs stating, “An effective LRMS should have the ability to adapt to the changing demands and requirements of the recorder’s office. The recording jurisdiction should also consider the existing functional capacity of the LRMS and the software vendor’s commitment to support, maintenance and future innovation.” Past PRIA work products have addressed property recording processes, including bulk records access, records preservation, indexing, redaction, the Uniform Real Property Electronic Recording Act (URPERA), eNotarization, and eRecording. This LRMS Best Practices document brings together components of previous PRIA work products with a focus on how LRMS solutions support the property records industry.
INFORMATION GOVERNANCE WORLD
DATA GOVERNANCE DATA GOVERNANCE: INSIGHTS FROM THE FIELD BY MERRILL ALBERT
’ve worked in data governance most of my career— even before we had the term “data governance” (DG). Originally, I suppose we called it commonsense. It’s not second nature to everyone, so the DG discipline was built and evolved. It combines business aspects and technical aspects, but heavy emphasis on the business. If the business rules are bad, no technology will save you. Deciding that you need DG can come about in multiple ways. It might be through a decision for the company to be more data-driven and drive more value from your data using principles of infonomics. You’ve collected a lot of it over the years, so why not make it more valuable to you by driving insights from it or monetizing it? It also might come about through trying to do a technical implementation, such as implementing a master data management (MDM) tool, and the tool vendor asked you what your DG strategy is to keep the data “mastered” after implementation. Sometimes, those working on analytics find the data is inaccurate, so someone proposes DG. Many times, it comes about through a government directive (e.g., GDPR, CAN-SPAM), a compliance violation, or a regulatory ruling. Keep in mind businesses need key business drivers to launch a DG program. DATA QUALITY A major aspect often emphasized in DG programs is data quality. It’s important to put data quality under your DG initiative. If you don›t, that›s when I often see people thinking of data quality as a one-time technical project. You might be implementing a data quality tool. That is a project. However, what goes into that tool are the rules under which you define data quality. Some of the rules could be technical, such as IT wanting some values to be stored a certain way to improve processing, but a lot of the
rules need to come from the business. That collaboration of the business side and IT is critical. Those data quality rules can change over time, so DG programs must be evergreen to keep these rules current. DATA LAKES A lot of companies these days are investing in data lakes. Did you know that if all you do is create a data lake without using any DG, all you’ve really done is create a data swamp? Putting more data in a data lake is a great idea, but only if knowledge workers can find the data they need and they know what it means. Taking a more thoughtful and governed approach to it will give you something usable that you can drive value from. This is not a game where “whoever dies with the most data wins.” BIG DATA Big Data or “little” data, you still have data that needs to be governed. Any data that you don’t govern is data that doesn’t reach the potential value it could have. A data field might make sense to someone in the moment they create it, but it doesn’t always make sense when you look at it further down the line. We need to know what data means, where it came from, under what rules it is governed, what we’re allowed to do with it, and what good quality data looks like, etc. CLOUD Do not think of cloud computing implementations as just a technical project, something that your IT department will do for you. One company had an IT department that acted in a vacuum in moving all the organization’s data to the cloud. There was a cost savings in it, but the problem is they wound up moving the data to the cloud where it was stored on a physical server in a country it was not
allowed to be in. Major oops! That resulted in a slew of legal discussions and reinforced the need for collaboration early on and through the entire migration process. It would have saved a lot of heartache. ANALYTICS Many companies are investing in analytics. Analytics can be very powerful, but if your analytics are based on bad data, you have bad analytics. Often what happens is that the Data Scientists either think it’s their job to “fix” the data before they can use it, or they just start using poor quality data. So they’re jumping to conclusions about what it means. A good data person is all about getting the right data into the right hands and that means getting usable data to Data Scientists. Data Scientists shouldn’t have to “fix” data before they use it. I’ve watched some actually change data values because they think it is incorrect, when they have no basis to prove that. I’ve seen some companies combine the data and analytics groups. Perhaps they create a single Chief Data Officer (CDO), or more often, a single Chief Analytics Officer without a corresponding CDO. Those are two separate skill sets. To be most effective, two separate people are needed. You need them working together at the same level in the company. DG AWARENESS Another part of DG is awareness training. In a company, there are typically people highly involved with DG who go through training. However, there are many more people in the business, and you could argue that it’s everyone in the company, who need general DG awareness training. This isn’t extensive training, but you need people to understand what data is and what they’re allowed to do with it. CONCLUSION Everyone wants the right data, not just data. We need to recognize that we’re all in this together. We shouldn’t be hoarding data to ourselves or hoarding the rules to ourselves. No one person knows everything there is to know about all the data. Proper DG programs require that we work together through sharing and collaboration for a better overall result that benefits the business. MERRILL ALBERT IS A LIFELONG DATA PERSON SPANNING THE FULL SPECTRUM OF THE DATA MANAGEMENT LANDSCAPE THROUGH BOTH INDUSTRY AND CONSULTING ROLES. SHE BELIEVES IN UNDERSTANDING THE BUSINESS NEEDS OF THE DATA. WITH A FOCUS ON DATA GOVERNANCE, SHE IS PASSIONATE ABOUT GETTING THE RIGHT DATA IN THE RIGHT HANDS TO USE COMPLIANTLY AT AN ENTERPRISE LEVEL. SHE CAN BE REACHED AT MERRILLALBERT@HOTMAIL.COM
Note: Excerpt from Robert Smallwood’s new book Information Governance (Wiley, 2019). Used with permission.
WHAT IS MASTER DATA MANAGEMENT?
aster data management (MDM) is a key process for IG success in the IT department, which extends to involved business units. An emerging discipline, MDM came into prominence around 2010 to 2012, coinciding with the Big Data trend. The goal of MDM is to ensure that reliable, accurate data from a single source is leveraged across business units. That is, a key aim is to establish a “single version of the truth”1 and eliminate multiple, inconsistent versions of data sets, which are more common than most might think, especially in larger organizations with physically distributed operations and large numbers of servers and databases. MDM gets to the core of data integrity issues, essentially asking “Is this data true and accurate? Is this the best and only, final version?” MDM grew from the need to create a standardized, “discrete discipline” to ensure there was a single version to base analytics calculations on and to base decisions on.2 According to Gartner, MDM: is a technology-enabled discipline in which business and IT work together to ensure the uniformity, accuracy, stewardship, semantic consistency and accountability of the enterprise’s official shared master data assets. Master data is the consistent and uniform set of identifiers and extended attributes that describes the core entities of the enterprise including customers, prospects, citizens, suppliers, sites, hierarchies and chart of accounts.3 What is the business impact? How are operations enhanced and how does that contribute to business goals? One set of reliable, clean data is critical to delivering quality customer service, reducing redundant efforts and therefore operational costs, improving decision making, monetizing data, and even potentially to lower product and marketing costs. A unified view of customers, products, or other data elements is critical to turning these business goals into reality. The larger the organization, the greater the need for MDM. REFERENCE:  Sunil Soares, Selling Information Governance to the Business (Ketcham, ID: MC Press, 2011), p. 4.  Andrew White, “We Are Only Half Pregnant with MDM,” April 17, 2013, https://blogs.gartner.com/andrew_ white/2013/04/17/we-are-only-half-pregnant-with-master-data-management/ Accessed December 13, 2018).  Gartner IT Glossary, “Master Data Management,” https://www.gartner.com/it-glossary/master-data-management-mdm (accessed December 13, 2018).
INFORMATION GOVERNANCE WORLD
CONTENT SERVICES INTELLIGENT AUTOMATION & IG: THE CRITICAL PATH TO DIGITAL TRANSFORMATION BY NATHANIEL PALMER
ccording to a recent survey by Deloitte & Touche LLP, 95% of CEOs and 97% of corporate board members cited, “serious threats and disruptions to their growth prospects in the next two to three years.” The specific threat most frequently cited is the disruptive effect of digital technologies deployed by competitors, and their internal challenge of keeping pace via new technology investments. To put it in trendier parlance, what they fear most is digital disruption. What is the remedy to digital disruption? “Digital Transformation”—one of the most frequently cited phrases in today’s business circles. But what does it mean? In the most basic of terms, Digital Transformation is the transformation or “digitizing” of existing processes and operations into a software realization and other streaming services. It is not simply an “app” nor becoming a “dot-com” enterprise, but leveraging digital media (the Internet, mobile apps, analytics, smart appliances, social media, et al.) to connect with customers, partners, and even employers. The push for digital transformation and its looming threat is old news. We have all seen stories of once dominate businesses who were run out town by digital disruption, the most famous being Blockbuster’s displacement by Netflix and other streaming services. Today we see around us countless new innovative “digital natives” rapidly outpacing erstwhile market leaders. Firms such as Uber, Facebook, Airbnb , Postmates, and others are success stories that have ascended from ideas virtually unthinkable a decade ago to multi-billiondollar enterprises in business today. While many CEOs may lay awake at night worrying about being “Uberized,” a more pressing issue is how to align digital transformation with corporate governance. How do you avoid the risk of losing control of governance processes? How do you avoid the risks of security breaches, while still ensuring digital access to your products and services by customers? What about enabling partners and employees to engage via digital media? The answer is Information Governance (IG).
Specifically, it is ensuring that IG is at the center of a digital transformation strategy. From a technology investment standpoint, the engine of digital transformation is Intelligent Automation—the latest evolutionary step for the traditional Business Process Management (BPM) and workflow automation software sector, complementing the use of business rules and process management technology with software robots and artificial intelligence (AI). The critical path to successful digital transformation (with managed risk) is combining IG with intelligent automation. DIGITIZING BUSINESS PROCESSES Intelligent automation technologies support interactions with humans, as well as performing work as humans would do. A relatively simple example is an AI-powered “chatbot” able to interact with customers (and increasingly partners and employees) in a way which would otherwise require a human Customer Service Representative. Today, these interactions blur the lines between human and machine. When the interaction is via digital media (mobile app or website) it can be difficult or impossible to distinguish whether the entity on the other end of the interaction is living or virtual. They easily pass the infamous, “Turing Test” (the test developed by Alan Turing in 1950 to assess a machine’s ability to exhibit intelligent behavior indistinguishable from that of a human). Yet chatbots are
just the thin veneer of intelligent automation. The real intelligence lies in the processes which happen behind the scenes. They are what ultimately defines digital transformation. Indeed, a successful digital transformation strategy is one which ties together discrete moments of automation within a more comprehensive, end-to-end process, adhering to rules of corporate governance and IG. Supporting this requires a clear model for the separation of concern between the rules of how work is completed and systems which support it. In most enterprises today, the control points for enforcing the rules and policies of corporate governance are focused on human beings. They are part of the user interface in core business applications. They are also part of the reporting systems for ensuring compliance with established policies and procedures. Firms focus on the actions of workers (human beings) who apply their knowhow and subjective judgement to perform work. A chatbot may be able to check the status of an order, or an insurance claim, or even initiate one. But traditionally, the high-value work to process that claim, or fulfill that order, is left to more skilled human workers. This work is often assumed to be “un-automatable” requiring logging in and out of different systems to complete the process (or even a single task), typically involving third party systems or otherwise environments which cannot be easily integrated through a programmatic interface. Instead, people do it, with swivel chairs and sticky notes, and as a result the design of the related rules and workflows are based on how the applications were built, rather than the actual objectives of the end-toend process which span across them. Yet intelligent automation allows these existing user interfaces to remain intact, enabling software robots to perform the same functions just as a human user would do. This allows the same control points and reporting to remain intact. The work is indistinguishable between human and
The critical path to successful digital transformation is combining IG with intelligent automation.”
robot, as the same systems are used. What tells the robot what to do? This is critical role of IG, ultimately serving as the lifeblood of digital transformation, by enforcing the same rules applied to human workers, and ensuring the same level of transparency (including audit trails, records management, and other means for capturing the chain of custody for how confidential and proprietary information is handled). FINDING THE CRITICAL PATH TO DIGITAL TRANSFORMATION Combined with IG, intelligent automation offers the ability to integrate processes, rather than systems and applications, to deliver closer to holistic or comprehensive automation of work rather requiring (far more expensive) humans to perform this work manually. A real-life example of this is the automation of otherwise manual transaction processing. In this scenario the greatest challenge typically is to ensure workers follow the rules and policy guidelines for how work should be performed, which is enforced via training, work instructions and standard operating procedures (SOP)s. Imagine an alternative scenario where users are relieved of subjective decision-making (i.e., having to rely on their own interpretation of policies and rules) and instead their work flows through a library of business logic where 100s or 1000s of rules are applied to validate data accuracy, to ensure consistency with policy, and to present a data-driven recommendation for the best action to take next. This provides objective measures (actual reportable data and analytics) to demonstrate that work was performed according to established policy. It also lowers the training burden, by removing the need to understand exactly what to do at each, process step while ensuring greater accuracy and consistency. Rather than a “black box” of backend automation, each
transaction, process step, and data element is checked automatically against IG rules. Expanding the aperture on this scenario, consider the role of traditional BPM coordinating the end-to-end process, managing the sequencing of steps and state of processes as it advances the span of control from one step to the next. Now with the much finer grain definition of how work must be performed, leveraging the policies and rules defined as part of IG, many of the steps which had previously required human intervention can now be performed by “intelligent” robots. Yet these robots aren’t smart, per se. This is not AI run amok. Rather, the software robots are held to the same compliance rules and reporting standards otherwise defined for human workers, but digitized as part of an IG strategy. Over time, the scope of this automation can grow to encompass an increasing number of erstwhile human tasks, as performance data is captured and more is understood about how the work should be performed. This is the promise of Intelligence Automation combined with IG—expanding the efficiency of automation while delivering greater transparency and policy compliance. NATHANIEL PALMER IS A REGULAR SPEAKER AT LEADING CONFERENCES, AND HAS AUTHORED OR COAUTHORED OVER A DOZEN BOOKS ON PROCESS AUTOMATION AND DIGITAL TRANSFORMATION. HE IS DIRECTOR, BUSINESS ARCHITECTURE FOR SERCO, INC., AS WELL AS THE EXECUTIVE DIRECTOR OF THE WORKFLOW MANAGEMENT COALITION (SINCE 2006). RATED AS THE #1 MOST INFLUENTIAL THOUGHT LEADER IN BPM BY INDEPENDENT RESEARCH, HE HAS LED THE DESIGN FOR SOME OF THE INDUSTRY’S LARGEST-SCALE AND MOST COMPLEX PROCESS AUTOMATION AND DIGITAL TRANSFORMATION INITIATIVES, INVOLVING INVESTMENTS OF $500 MILLION OR MORE. PREVIOUSLY, HE HAD BEEN THE BPM PRACTICE DIRECTOR OF SRA INTERNATIONAL; DIRECTOR, BUSINESS CONSULTING FOR PEROT SYSTEMS CORP; AS WELL AS SPENDING OVER A DECADE WITH DELPHI GROUP SERVING AS VP & CTO. HE MAY BE REACHED AT NATHANIELPALMER@GMAIL.COM OR LINKEDIN.COM/IN/BIGDATASMARTPROCESS/
INFORMATION GOVERNANCE WORLD
THE RISE OF THE CDO: CONFLICTS EMERGE WITH CISO ROLE? BY TOM MOTZEL
IOs have historically been responsible for delivering and maintaining information across the enterprise, including application development, network support, and IT governance. In the past, CIO’s were charged with aligning information with company objectives, but there were inherent gaps since business units “owned” the information and CIOs lacked depth of business context. Today, the effects of mobile, cloud and IoT, combined with advances in artificial intelligence (AI) require greater expertise. The wave of digital transformation is compelling organizations to better recognize, organize, and govern the information streams they create, thereby demanding a more dedicated focus. It is the role of the Chief Data Officer (CDO) to recognize and communicate new value streams enabled by this data-rich environment. The CDO has two primary objectives in overseeing company data: drive revenue generation and avoid risk. In order to accomplish these objectives, an organization must first identify, organize, and apply governance to information assets. Once accomplished, it becomes much easier to assign value, determine strategies and set budgets. INFORMATION GOVERNANCE The first step for organizations in governing information is having a clear inventory of the data and information they possess,
a categorization of that information, and an accurate accounting regarding the value of each. Neglect of these items will nearly guarantee a sub-optimal outcome for the business across many functions, including compliance, risk management, litigation, information value optimization, and overall operational efficiency. According to DocAuthority, “Without knowing what you have, where it is, and who has access to it (and for what purpose) you cannot proceed with a meaningful information governance program.” The diagram below shows governance supports risk mitigation and increased value streams: “Housekeeping” begins with an assessment to take stock of all the organization’s disparate data sources and locations. Next, a “governance committee” along with content classification tools can be used to categorize information in a manner that supports particular business unit functions. This process helps bring about greater organizational awareness of information assets and establishes more accurate information asset values. The final step is establishing rules and procedures that will reinforce and maintain information governance across the enterprise. It’s important to recognize the alignment of the CDO and the Chief Information Security Officer (CISO) regarding this objective. “We need to understand the core goals of security, which are to provide availability,
integrity, and confidentiality (AIC triad) protection for critical assets. While they share this end goal, the CDO is tasked to expose business value and drive revenue from data, while the CISO is focused exclusively on security. The relatively new role of CDO is often perceived as a threat, but this foundational objective will ultimately give them common ground to work in harmony. BUSINESS INNOVATION Re-imagining how the business can better serve customers in our new digital reality is the essential role of the CDO. As reported by Gartner in a 2018 study, Success Stories of CDO’s Driving Business Impact, 58% of the highest performers stated driving new solutions as their primary focus. Understanding the relationship between enterprise information and potential business value is of primary importance. “Moving the data office out from under the IT function sends a message that information management is a business function, rather than a technical one”. To ensure the proper focus of business innovation, it is highly recommended that CDO’s report to CFOs or CEOs
and not directly to IT. Uber remains one of the most familiar examples of the profound ways data-driven platforms can re-invent existing services. It is crucial for every business (big or small) that hopes to differentiate itself from competitors to be pursuing data-driven innovation strategies. Learning from outside case studies is an effective way of disrupting habitual thinking about your own information. The Board of Innovation provides additional digital transformation examples. RISK MITIGATION The CDO’s mission of finding and driving new revenue streams from organizational data adds a “viewpoint” to the CISO’s security mandate. Inevitable insights from this new focus will change the classification and valuation of data assets. Security objectives, priorities, and budgets, will shift to reflect this new reality. Investments will be redistributed to reflect both the risks and opportunities recognized by the CDO’s efforts. Another, more specific benefit to the CISO is a more detailed accounting of personally identifiable information (PII). According to DocAuthority, “In a regulatory landscape where the onus is on ‘privacy by design’, the level of technical difficulty in addressing this issue will carry little weight in the courts.” The increased focus on governance and accounting of information as an asset supports the overall privacy, compliance, and risk mitigation efforts of organizations. ADDITIONAL CONSIDERATIONS There are many evolving
technologies that will continue to transform our thinking about the use of information and the protections it may deserve. A potential dichotomy to the alignment of CDO’s and CISO’s may be on the horizon according to Andrew Burt, Chief Privacy Officer and Legal Engineer at Immuta,“Today, the biggest threat to our privacy and our security has become the threat of unintended inferences, due to the power of increasingly widespread machine learning techniques.” As CDO’s scrutinize company data to find new value streams, they are often employing this tactic. Should future privacy laws shift in direct opposition to methods of inference, CISO’s could become the ‘watchdogs’ of ambitious CDOs.
CONCLUSION The focus of this article is to familiarize the reader with the role of the CDO, their primary objectives and the challenges they face. The CDO must drive new revenue streams by leveraging organizational data with new digital capabilities to better serve customers. The first step is to identify, organize and govern the information so we can assign a value to these assets. Accomplishing these tasks helps us identify new value streams and mitigate risk. The advent of the CDO is new, but it will continue to proliferate quickly and soon become the norm.
SMARTPHONES MAY EXPOSE CONFIDENTIAL INFORMATION
TOM MOTZEL CIP, IS PASSIONATE ABOUT INCREASING AWARENESS REGARDING THE BENEFITS ORGANIZATIONS MAY GAIN FROM OUTSOURCING IG STRATEGY AND IMPLEMENTATION. CURRENTLY HE IS PRINCIPAL, CONSULTING & MANAGED SERVICES IRON MOUNTAIN, IGDS AND MAY BE CONTACTED AT TOM.MOTZEL@IRONMOUNTAIN.COM
REFERENCE: DocAuthority. (2019). A Manifesto for CDOs in 2019. White Paper - https://info. docauthority.com/cdo-manifesto; Burt, A. (2019). Privacy and Cybersecurity Are Converging. Here’s Why That Matters for People and for Companies. Boston, MA: Harvard Business Review Press. https://hbr. org/2019/01/privacy-and-cybersecurity-are-converging-heres-why-that-matters-for-people-and-forcompanies?utm_source=bambu&utm_medium=social&utm_campaign=advocacy; Harris, S., Maymi, F., (2016) All In One, CISSP Exam Guide, Seventh Edition. New York, NY: McGraw-Hill Education; Moran, M., Logan, V (2018) Success Patterns of CDOs Driving Business Impact. Stamford, CT: Gartner. https:// www.gartner.com/doc/3880096/success-patterns-cdos-driving-business; Board of Innovation. (2019). Retrieved from https://www.boardofinnovation.com/staff-picks/digital-transformation-examples/
CONTENT SERVICES & BYOD: PROCEED WITH CAUTION USER-OWNED
In today’s world of cloud storage, content services, and document sharing across large geographical distances and time zones, employees who use their private smart phones to share and collaborate on company-proprietary documents could put confidential data at risk. Using publicly available searches on the Internet, security experts at Adversis, “discovered hundreds of thousands of documents and terabytes of data exposed across hundreds of customers,” who use Box. The list of companies and the type of data exposed was staggering. Among the data found were passport photos and bank account numbers. 13 Experts contend this was not the result of a software bug, but a user-defined feature of the service that was not being used correctly. When a user decides she will work on a document on her smart phone, she sends a link directly from her Box account to her smart phone. This is a web link that can live on in cyberspace as an unprotected link to that document without anyone even being aware of it. The fix for this type of breach is the retraining of employees to use strict document sharing policies. In other words, implement sharing policies that make it nearly impossible to use your own device with a service such as Box without a buy-in from those who manage the content management systems. INFORMATION GOVERNANCE WORLD
ARCHIVING & LONG-TERM DIGITAL PRESERVATION
NEWER CLOUD-BASED APPROACHES SIMPLIFY DIGITAL PRESERVATION
t wasn’t long ago—5-10 years—that long term digital preservation (LTDP) required a relatively expensive and complicated set of internal processes to store digital records needed for 10 years or more. Migrating digital images from older, proprietary file formats and maintaining records in industry standard, technology-neutral file formats while ensuring readability presented major challenges. But today, there are new outsourced options that make digital preservation much easier and more cost effective for organizations needing to preserve digital documents. The approach that digital preservation suppliers take is to manage the entire digital conversion process (from paper or microfilm to digital) and to store 5-6 copies of each image with a major cloud supplier like Microsoft Azure or Amazon AWS on servers dispersed geographically around the world. Some approaches use more than one cloud supplier to reduce the risk of loss even further. Error detecting software uses checksum algorithms to scan digital records periodically for any degradation or loss of bits due to hardware failures, hacking attacks, or other anomalies. Then the damaged copy is either restored or replaced ensuring that 5-6 viable copies are still available in various parts of the world. This newer cloud-based approach has made digital preservation more accessible and viable for major organizations with the need to preserve digital information far into the future, especially movie studios, national libraries, universities, research organizations, and government entities.
LIBNOVA INVITED TO ARCHIVER PROJECT KICKOFF EVENT AT CERN Madrid and Miami – Libnova, a provider of digital preservation solutions, has been invited to take part in the kickoff event at the European Organization for Nuclear Research (CERN) in Geneva. The Open Market Consultation will take place over the next three months in different locations across Europe, and is driven by the leading research organizations in the continent. The ARCHIVER project will introduce radical improvements in the area of archiving and digital preservation services with scientific research entities in mind. Alongside Libnova, other global companies have been invited such as Amazon’s Cloud Services, IBM Research, Google, Oracle and Huawei. The aim of this process is to understand the particular needs of the scientific communities in areas of digital preservation and archiving services, both of which are areas where Libnova is a leader. The ARCHIVER Project, archiving and preservation for research environments, has received funding from the European Union’s Horizon 2020 research and innovation program. Libnova is also known for its continuous research and development programs. Only last year, after presenting their latest research results on artificial intelligence (AI) and neuronal networks, one of their latest focal points, they were awarded a 500,000 Euro grant to continue research.
PRESERVICA ANNOUNCES SUPPORT FOR MICROSOFT AZURE CLOUD Boston, MA and Oxford, UK: Preservica, a leader in active digital preservation software, has announced its Enterprise Private Cloud offering on the Microsoft Azure cloud platform. The combined solution enables Microsoft enterprise and government customers to protect and future-proof critical long-term data over decades in order to extract value, mitigate litigation and compliance risk and intelligently leverage knowledge for competitive advantage. Preservica’s Enterprise Private Cloud for Microsoft Azure is designed for organizations with strict regulatory, privacy and security requirements. It is fully managed by Preservica and can be deployed in a private Azure network with dedicated resources or on a customer’s own Azure infrastructure. The platform includes extensive APIs for integration with other content services platforms (CSPs), federated search and discovery, as well as leveraging Microsoft’s AI and Machine Learning services for facial recognition, AV transcription, sentiment analysis, cognitive search and identification of sensitive data e.g. Personally Identifiable Information (PII) for GDPR compliance. Preservica has also recently announced an automated archiving and digital preservation offering for enterprise-scale Microsoft SharePoint environments. The new intelligent SharePoint connector enables customers to automatically transfer critical long-term records and content from Microsoft SharePoint sites across the enterprise to the Preservica active digital preservation platform based on user defined fields. This enables organizations to streamline the governance of critical long-term content, drive greater cost efficiency and ensure compliance.
Studies by the IGI and AIIM show that every major organization has a large and diverse array of critical digital data that needs to be kept for decades or permanently in order to mitigate risk, meet compliance and extract value. Digital transformation and application decommissioning initiatives are driving further exponential growth in long-term digital content. Preservica’s OAIS (ISO 14721) conforming active digital preservation platform uniquely futureproofs all types of digital information against technology obsolescence ensuring valuable digital assets remain accessible and trustworthy over decades. INFORMATION GOVERNANCE WORLD
EMERGING TECHNOLOGY A Smart Panda autonomous bus developed by DeepBlue Technology displayed during the 7th China (Shanghai) International Technology Fair on April 18, 2019. [Photo/IC]
CHINA’S DEEPBLUE TECHNOLOGY PROVIDES CUTTING-EDGE TECH BY FAN FEIFEI | CHINA DAILY
hinese AI company DeepBlue Technology Co Ltd (Shanghai) is expanding into overseas markets, especially those in Europe, the Middle East and Southeast Asia. The moves are designed to boost the application of cutting-edge AI technology in different business scenarios around the world. DeepBlue Tech inked an agreement with the Foundation Magna Grecia, an Italian financial institution, last March 21, to create a local subsidiary and help Italian cities to embrace the digital dimension using AI. DeepBlue Italy will boost the country’s AI push. It will supply products relating to Big Data, data analytics and AI that will become part of city infrastructure, besides tapping into industries like financial services, transportation, tourism, hospitality and medical in Italy. DeepBlue Tech opened its European headquarters in Luxembourg last year, and established three joint laboratories with the National Laboratory of Luxembourg, covering self-driving, intelligent manufacturing, and data and financial security. “We have signed cooperation agreements with the governments of Greece and Italy in the field of intelligent cities, and plan to introduce our palm vein recognition system in at least three European countries this year,” said Chen Haibo, founder and CEO of DeepBlue Tech. Chen explained palm vein recognition, which is expected to be applied in the customs and medical fields in Greece, is preferred over facial recognition system in light of the European privacy protection laws. Incidentally, the company exported smart vending machines to Europe last year. The company has intellectual property rights over proprietary technologies like deep learning architecture, machine vision, and biological intelligent recognition.
These find applications in fields like self-driving vehicles, intelligent robots, biological intelligence, smart retail, security, life sciences and AI chips. The company remains cautious toward making inroads into the US market, although a lot of its R&D staff graduated from US universities. “Our technology has an upper hand in Europe, Asia, Africa and the Middle East, and there are relatively few barriers for our products in these markets,” Chen said. The company’s smart Panda Bus, powered with self-driving technology, palm vein recognition system, in-vehicle robot, voice interaction and other advanced AI technologies, will be launched in Bangkok, the capital of Thailand, by the middle of this year. The luxury bus uses high-grade self-driving technology based on AI, which provides passengers with more comfortable experiences. A Panda Bus can take full control and operate in select parts of a preset journey in a certain geography when certain operating conditions are met. At other times, it is capable of completing an entire journey without driver intervention. One of its constraints is it will be confined to a certain geographical area. The bus received enthusiastic support from users in certain markets. Countries such as Germany, Luxembourg, Italy and Greece have shown much interest in this product. It is expected that the smart Panda Bus will be available in Europe later this year, DeepBlue Tech executives said. “The self-driving bus has entered six cities across China: Changzhou (Jiangsu province), Jinan (Shandong province), Quzhou (Zhejiang province), Deyang (Sichuan province), Chizhou (Anhui province) and Tianjin,” Chen said. Source: China Daily http://global.chinadaily.com.cn/a/201904/29/ WS5cc66111a3104842260b90f2.html
FUTURE OF DEFENSE IS AI
AI USED TO TRANSCRIBE CONTENT
AVAILABLE FOR JOURNALISTS IN SECONDS Journalists are now getting assistance from AI-powered transcription services. Emerging technology accomplishes this by blending a text editor with an audio/video player and then marries the AI-generated text to the source audio to the millisecond. It can then be searched, allowing a journalist to look for specific names, words, or phrases in the transcript. Here is the scenario modern journalists are faced with in our era of multi-platform news: they complete a half-hour interview, but only need a soundbite or two or three. Simultaneously, their social media strategist needs content for Facebook, Twitter, and Instagram; the radio team wants audio for their newscast, and the online editor needs an article for the website. In the past, all these channels would have to wait for the journalist to manually transcribe the interview and then pass it along. But progressive transcription services, like London-based startup Trint, or others like Rev, and Scribie, have changed the game and sped things up by giving journalists the ability to turn the spoken word into text by both humanbased transcriptions or with machine learning. Users can search the content and follow it like karaoke and correct it as needed to produce trustworthy transcripts that are 95%-99% accurate. AI software helps reduce the work required to complete transcription. A journalist can record an interview on an iPhone app, add markers during the interview at the right times, and when done, send the entire interview for ingestion into an AI-powered transcription service. It will be returned in minutes for instant team sharing. These new transcription services are a productivity tool for journalists, making it simple to shape raw recorded content into stories in a simple, intuitive workflow.
Security experts contend that AI could be next disruptive defense technology. Aspects of AI, also known as ‘Algorithmic Warfare’ could potentially replace major structural concepts such as network-centric warfare (NCW) concepts and these could lead to enhanced information gathering and processing capacity. Most investment in AI has come from China, Russia, and the US, with all three competing in AI development. The three countries have declared strategies to achieve ‘offset advantages’ through robotics and AI. In July, 2017, China announced plans to become the world leader in AI by 2030, and create a $150 billion AI industry. Russian President Vladimir Putin noted in September 2017, “Whoever becomes the leader in this sphere will become the ruler of the world.” AI can be used for a range of military applications, although its likely near-term benefit is to quickly and efficiently process large volumes of data to aid military personnel in making decisions derived from the identified patterns, relationships, associations, and correlations. The Joint Artificial Intelligence Center (JAIC) was formed by the US Department of Defense in June, 2018 as the focal point for carrying out its AI strategy and will oversee about 600 projects. As well as enabling consistency of approach, technology, and tools, JAIC’s work will complement efforts by the Defense Advanced Research Projects Agency (DARPA), DoD laboratories, and other entities focused on longer-term technology creation and future AI research and development. Attempts have been made to use AI with ‘swarming’ attacks to overwhelm adversaries. Small unmanned aerial vehicles (UAVs) and unmanned ground vehicles have the potential to co-ordinate with one another using AI. They offer the ability for large-scale intelligence gathering and to scale physical mass and battlefield points of presence, increasingly independently of the numbers and locations of human combatants. Combat vehicles with more autonomy require less human operation, and decreases the demand for bandwidth (which is a key issue for remotely operated vehicles). The more automation a vehicle has, the more likely it can operate in areas with a “contested or congested electromagnetic spectrum.” As AI expands, the demand for professionals has increased making it a bourgeoning opportunity for IT professionals and recent college graduates. INFORMATION GOVERNANCE WORLD
BLOCKCHAIN IN HEALTHCARE – EMPOWERING PATIENTS AND PROFESSIONALS BY DAVID METCALF, PhD
he pace of change in healthcare over the next 10 years will intensify and with this quickening pace, pressure will be applied to old business models and operating systems. So many changes are upon us and blockchainenabled solutions could serve as a foundation for many of them. The automation of transactions through smart contracts and distributed apps are already reshaping healthcare billing transactions, supply chain, licensure, government regulation and healthcare technology financing. This is only the beginning. Keeping an eye toward the future, the contributors and thought leaders involved in developing the book, “Blockchain in Healthcare: Innovations that Empower Patients, Connect Professionals and Improve Care,” which was released at the 2019 HIMSS Conference in Orlando last February, provide an overview of how blockchain is influencing other emerging areas of clinical science, healthcare administration and healthcare technologies. Our real-world examples and use cases give readers practical ideas about how to apply this technology toward their organizations and existing networks. Examples include the Internet of Things, artificial intelligence (AI), genomics, medical tourism, smart cities and global health. The convergence of these technologies with blockchain is critical to our ability to realize their potential.
ASSESSING THE BLOCKCHAIN IN HEALTHCARE LANDSCAPE The book is divided into three major sections. First, we explore the foundations and background of blockchain in healthcare. We explore the protocols, networks, and foundational use cases that have created this new movement in healthcare technology. Next, our contributors provide evidence of how the technology is being realized in today’s world using credible use cases currently underway. Finally, we provide a view of the future that is as diverse as the intersections of blockchain and artificial intelligence, genomics, medical tourism and how blockchain is being used in smart cities initiatives. UNLEASHING THE POWER OF BLOCKCHAIN AND ITS POTENTIAL VALUE Our team believes that the true power of blockchain will be unleashed when you consider blockchain and _ [blank] _. The blank represents: • Any value chain in health or healthcare where there are issues of trust, transparency and incentive alignment. • The important sub-disciplines where blockchain technology can help unlock the potential for automation of complex processes through smart contracts. • The emergence of digital currencies or providing a trusted transaction record for a variety of healthcare operations and functions that can be improved through trust and transparency. • The rise of community-owned solutions that empower consumers. CASE STUDIES AND CONVERSATIONS WITH LEADERS IN HEALTHCARE AND BLOCKCHAIN Throughout the book we provide case studies that explain these concepts and add realism and practicality to an otherwise technical and philosophically driven topic. Plus, editor’s notes for each chapter provide further context for why a particular topic is essential and how it links to other parts and the whole of blockchain in healthcare. The authors of this book have had the privilege of curating some of the best ideas and practical examples of blockchain technology in healthcare since the genesis of it not too long ago, and we are excited to share our findings. On behalf of all of the authors and contributors, we hope you enjoy the myriad views of blockchain and how it will continue to influence and shape the healthcare and technology landscape. We are only just beginning the journey of the fundamental shifts and disruptions underway in our society. DAVID METCALF, PHD, IS DIRECTOR, MIXED EMERGING TECHNOLOGY INTEGRATION LAB, INSTITUTE FOR SIMULATION AND TRAINING, UNIVERSITY OF CENTRAL FLORIDA; AND MEMBER OF HIMSS BLOCKCHAIN IN HEALTHCARE TASK FORCE. HE CAN BE REACHED AT DMETCALF@IST.UCF.EDU
MEDICAL BILLS ARE KILLING AMERICANS Americans are suffering from crippling medical debt in a uniquely American epidemic that affects 20% of the population and has accumulated roughly $81 billion in debt. These numbers are expected to increase alongside rising uninsured rates and growing popularity of cheap, bare-bones health plans. For some, the result can be life threatening. Fear of debt can discourage patients from seeking medical attention while existing debt can negatively impact healthy lifestyle choices, exacerbating medical conditions and leading to more debt.
IG LEADERS IN HEALTHCARE COMMONALITIES ARISE
Leading healthcare organizations that have implemented IG programs share some common characteristics: 1) Value information as an asset – understand the value and risks of information and strive to link information value to organizational objectives; 2) Collaborative culture – recognize that interdisciplinary cooperation is key, and that clinical and business process owners must have strong support from IT, Legal, HIM/RIM, privacy/security; 3) Strong executive sponsorship – executives understand the linkage between quality information and quality patient care, and understand that minimizing information risks protects patient trust, brand equity, and shareholder value; 4) Operational efficiency focus – organizational competence in policy-making, business process design, and process improvement; 5) Continuous improvement ethos – a cultural commitment to be a learning organization where continual improvement is valued and reinforced. Source: “Implementing Health Information Governance: Lessons from the Field.” (AHIMA, 2015), by Linda Kloss
8 of 10 Information Governance Programs fail to meet their stated business objectives.
INFORMATION GOVERNANCE | HEALTH
Harvesting Computing Brainpower to Improve Healthcare 5 KEY STEPS IN LEVERAGING AI IN HEALTHCARE
fundamental aspect of today’s artificial intelligence (AI) applications is the strategic leverage it gives users. While all business sectors will benefit from AI, the healthcare industry will see widespread adoption as Administrators and CEOs realize its potential. This is an emerging technology, and, as such, businesses that operate within the healthcare industry who begin using AI will gain a competitive advantage. The following five key steps will help define how to leverage AI in healthcare. First, users must understand what AI is and what is does. AI applications use the same data other systems use. Although the common perception is that AI simply replaces human ability, the key point is that it does some things “better” or “more accurately” and/or some things humans want to do but cannot. For instance, Finnish company Fimmic Oy, developed a deep learning AI application (deep learning means that software attempts to mimic human thinking activity. The software learns to recognize patterns, such as those in digital representations
of sounds, images, and other data). that helps pathologists identify abnormalities the human eye cannot see. 1 The key is to remember AI’s ability to leverage data and information at levels humans cannot. It is not a magic robot! But it does have powerful information processing capabilities. With baseline training, existing healthcare workers should be able to manage and control new AI applications. Second, AI can use sophisticated algorithms to “learn” features from a large volume of healthcare data, and then use the obtained insights to assist clinical practice. 2 Much of today’s AI literature uses the term “deep learning” to describe what AI does behind the scenes. Third, given AI’s learning capacity, the long-identified issues of injury and death caused by medical errors (the third leading cause of death in the U.S.) can be addressed at a micro level. The resulting data then becomes a point of leverage for funding elements such as Medicare reimbursements. Deep learning promotes “self-correcting abilities to improve system accuracy based on feedback.” 3 Fourth, AI can assist with evidence-based practice (EBP) protocols by monitoring the hundreds of accessible information databases, enabling real-time EBP. This physician/AI partnership adds to the benefits of meaningful use and other US federal healthcare requirements. Finally, AI will contribute to public health initiatives. By linking preventative medicine routines with elements such as diabetes risk factors, healthcare organizations can begin to project, “healthy communities,” that ultimately contribute to public health initiatives that are equitable. It certainly costs less money to provide preventative healthcare services than to perform surgeries or to administer extreme treatments in an acute care setting. —Staff
 TIBBETTS, J. H. 2018. The Frontiers of Artificial Intelligence. BioScience, 68(1), 5–10. https://doi-org.wgu.idm.oclc.org/10.1093/biosci/bix136  Jiang, Fei, et al. 2017. Artificial intelligence in healthcare: past, present and future. Stroke and vascular neurology 2(4), 230-243.  Ibid.
Artificial Intelligence in Healthcare SURGE OF INVESTMENT FUELS EXPECTATIONS
ne of the most remarkable tech advances to come out of the current digital revolution has been the practical use of artificial intelligence (AI). From robotics to machine learning, and across all business sectors, AI is not your grandfather’s Ultron. It is automation through a type of intelligent reasoning that utilizes electronic data at a scale that the human brain cannot. In the healthcare industry, the source and production of this data has outpaced human comprehension. This is particularly true with the emerging wearable technology sector and the ubiquitous use of data obtained through the Internet of Things (IoT). Healthcare organizations looking to leverage their existing data assets for AI will need to develop governance, infrastructure, and technology partnerships to guide their efforts. Investment in healthcare-related AI is “expected to reach $6.6 billion by 2021,” resulting “in annual savings of $150 billion by 2026.” 1 Organizations that participate in this growth will conceptually utilize an IG infrastructure leveraged with state-of-the-art technology infrastructure. Such a partnership helps AI do what humans cannot do, i.e. structuring massive sets of big data. Facilitating these partnerships requires cooperation and close support for the end user in a near-symbiotic relationship to ensure regulatory concerns about information sharing are adequately addressed. Because of the risk of the lack of human control, the relationship must be never be severed. The symbiotic relationship has three components: a conceptual IG framework, a partnership with a technology company, and training needed to combine the two. Reddy, Fox, & Purohit terms healthcare delivery systems that are AI-enabled are used for “patient administration, clinical decision support, patient monitoring, and healthcare interventions.” 2 The effectiveness of AI in healthcare centers around the timely delivery of interventions, improved diagnostic accuracy, and the reduction of medical errors.  AI And Healthcare: A Giant Opportunity. Forbes. From https://www. forbes.com/sites/insights-intelai/2019/02/11/ai-and-healthcare-a-giantopportunity/#599177fd4c68  Reddy, S., Fox, J., & Purohit, M. P. (2019). Artificial intelligence-enabled healthcare delivery. Journal of the Royal Society of Medicine, 112(1), 22-28. From https://journals.sagepub.com/doi/abs/10.1177/0141076818815510
Lack of Information Governance training is the leading cause of IG Program failure.
INFORMATION GOVERNANCE | HEALTH
Six Strategies to Consider When Implementing IG THESE APPROACHES CAN HELP HOSPITALS TO EFFECTIVELY IMPLEMENT IG | BY RITA BOWEN AND ERIN HEAD 1. Assemble a multidisciplinary team. Make sure all disciplines — information technology, health information management, compliance, C-suite, legal, revenue cycle, risk management, quality, finance, security — are represented. Define everyone’s role in managing information throughout its life cycle. Identify a senior champion who can help with buy-in and provide a financial perspective. Create a charter aligned with organizational goals and priorities. Is population health an issue you’re trying to resolve? Patient engagement? Focus on what you want to accomplish and decide which issues to tackle, one at a time. 2. Assess the current information landscape. Take an inventory of existing policies, procedures and systems for capturing, processing, delivering and storing data. Get a handle on all data from different departments — accounting transactions, coding data, billing information, and operational and clinical data. Consider all entry and access points. Identify gaps, issues, new priorities. For instance, how are you incorporating patient-generated health information, information from other hospitals and other external information into your system? 70
3. Make the case for IG. Educate the entire organization on the role and mission of the team. Conduct inservice training using infographics, key performance indicators and real-life case studies of organizations that have initiated IG programs. Engage health information management along with clinical, financial and operational staff to show the importance of IG. In her book on information governance, Kloss profiles health care providers at various stages of IG implementation. This is an excellent guide for getting started and gaining support for IG. 4. Map your data. Ensuring data integrity through data mapping is essential. Work with IT, health information management and other departments to determine which data elements are being mapped. When various data elements are flowing from one system to another, you need to ensure that the information transferred has the same meaning and intent. Are data definitions consistent? How will you consolidate data from different systems and make sure they are accurate, complete and accessible? Look at your source data — where it flows, how it’s handed off, how it’s used. Consistency of data entry on the front end is critical to quality and integrity.
We can help. We are the world’s leading provider of IG training.
5. Apply guiding principles for creating an IG program. The 11 Sedona Principles for IG are an example of guiding principles. Collaborate with team members, particularly with health information management professionals who have the expertise to advance enterprise wide IG. As the stewards of health care information for decades, they understand the guiding principles and they’re preparing to assume leadership roles. Invest in health information management training and development.
Our instructors leverage best practices, metrics and real world experience to help you succeed. Call us today.
6. Invest in advanced technology. Acquire tools to ensure that information is accessible and useful — easily converted into actionable data for strategic initiatives. Invest in data analytics to capitalize on information, improve care and reduce costs. Clear and consistent accounting up front requires data analysis — it’s part of IG. Health care executives need the ability to do business analysis in all care settings and all systems. However, technology alone is not enough — information governance practices are needed to realize the full value of technology. That means having the right people and processes in place along with the right tools to manage information on the front end and ensure reliable information on the back end. Source: https://www.hhnmag.com/articles/6875-six-strategies-to-considerwhen-implementing-information-governance
Call us at: 1.888.325.5914 or visit us at IGTraining.com
INFORMATION GOVERNANCE TRADE SHOWS & CONFERENCES Talbot Hotel
DATA MONETIZATION & INFONOMICS SUMMIT May 17, 2019 (Chicago) IG World Magazine is holding our first Data Monetization & Infonomics Summit on Friday, May 17th in Chicago to educate C-level executives and IG leaders on how to leverage information value. The Summit will be held at the Talbott Hotel, an award-winning venue in Chicago’s historic Gold Coast District. Presenters include Rich Kessler (KPMG), Robert Smallwood (Institute for IG), Ren Leming (Informu Solutions), Neil Calvert (LinQ) with a special appearance by Doug Laney, the author of Infonomics. Attendees will participate in exercises designed to engender real world understanding of how Information Governance can be used to form the foundation to monetize information value using the principles of Infonomics. To register, email firstname.lastname@example.org. https://events.infogovworld.com Navy Pier
MER CONFERENCE May 20-22, 2019 (Chicago) The 27th annual MER conference is the best IG conference of the 72
Spring season. IG World encourages all readers attend. MER will focus on legal, technical and operational aspects of managing electronic records. Compelling keynote speakers will bring diverse perspectives to pressing issues and illuminate potential solutions to real-world problems. Conference sessions will focus on disruptive technologies such as blockchain, IoT, social media and machine learning. Attendees will include progressive decision-makers, organization influencers and IG practitioners seeking solutions to their business’ IG challenges. https://www.merconference.com/ If You are Going to MER: What to do in Chicago Visitors to Chicago’s Gold Coast have many opportunities to enjoy the city. Start with Navy Pier and ride the giant Centennial Wheel or enjoy a good meal at one of the many eateries. Folks who like to see things from high up in the sky can visit the 360-degree observatory on the 94th floor of the Willis Tower (formerly the John Hancock Center). The Magnificent Mile is a great place to go shopping. Or maybe catch a Cubs game at Wrigley Field? A walk along the shore of Lake Michigan is a wonderful way to enjoy the sights and sounds of the city. https://www.choosechicago.com/
DGIQ DATA GOVERNANCE & INFORMATION QUALITY CONFERENCE June 3-7, 2019 (San Diego) The DGIQ is the world’s largest event dedicated entirely to data governance and information quality. Attendees to this conference can choose from six tracks with move the 35 real-world case studies. Sessions are designed for the experienced data governance and data quality professionals as well as for beginners. Conference topics include: Data Stewardship, Governing the Data Lake, Metadata
Governance, Data Quality Strategies, Business Glossaries, Data Quality Metrics, tips for GDPR compliance, methods to establish data quality metrics, emerging trends and best practices. Speakers include Nate Haskins, the Chief Data Officer of Standard & Poor’s, Jimm Johnson, Data Governance Program Manager for Scripps Health and Kristin Love, Enterprise Information Architect at GlaxoSmithKline. http://www. debtechint.com/dgiq2019/ Balboa Park
What to do in San Diego San Diego is known as America’s finest City. Located on the Pacific coast, San Diego has a Mediterranean climate. The climate is warm and comfortable year-round. Visitors can explore San Diego’s historic Old Town which features many authentic Mexican restaurants. The Point Loma lighthouse has sweeping views of the Pacific Ocean and US Navy installations in San Diego Bay. The Gaslamp district offers many opportunities for nightlife entertainment. https://www.sandiego. com/attractions
ISSA CISO FORUM June 13-14, 2019 (Boston) ISSA, the Information Systems Security Association, is hosting a CISO Forum designed to provide senior executives with the opportunity to
come together and discuss real-world problems in a peer-to-peer event. These quarterly events are available to ISSA Executive members who seek opportunities to share concerns, successes and feedback in a peer only environment. The topics discussed provide relevant data points for the busy executive who needs to keep up with today’s challenging InfoSec issues. The intimate settings provide executives with the chance to create new relationships with individuals who share the immense responsibility for keeping organizational crown jewels safe. The collaborative environment helps foster knowledge sharing and shape the future of the profession. https://www.issa.org/page/CISOhome Harvard Medical School.
HIMSS/HARVARD DATA, INSIGHTS AND STRATEGIES FOR THE HEALTH ENTERPRISE June 19-21, 2019 (Boston) The Health Information and Management Systems Society (HIMSS), is teaming up with Harvard Medical School to conduct an executive education program for senior leaders in healthcare. Sponsored by faculty advisor Dr. Stanley Shaw this three-day event will focus on emerging applications of data analytics which
are creating new opportunities for diverse stakeholders including patients, providers, health systems and payers. Attendees will learn about: emerging streams of nontraditional data, the ever-increasing role digital health plays in filling gaps in care delivery and access (tele-medicine), and the impact of clinical workflows from both a patient and a provider perspective. The speakers include John Brownstein, Chief Innovation Officer at Boston Children’s Hospital; Inga Lennes, Director of Clinical Quality at Massachusetts General Cancer Hospital; and, Isaac Kohane, Chair of Biomedical Informatics at Harvard Medical School. https://go.himss.org/ Data-Insights-Strategies-For-HealthEnterprise.html What to do in Boston The historic town of Boston offers visitors a plethora of interesting opportunities to see the actual venues where many important events in American history occurred. From Beacon Hill to Harvard University to Fenway Park, Boston is a treasure trove of Americana. The Boston Harbor is close at hand. Intrepid visitors may wish to throw tea in the harbor to commemorate our ancestor’s historic rebellion against British taxation. Others may wish to visit cutting edge restaurants or the local craft beer and breweries. https://www. boston.gov/visiting-boston
IAPP ASIA PRIVACY FORUM 2019 July 15-16, 2019 (Singapore) The International Association of Privacy Professionals (IAPP) Asia Privacy Forum 2019 is the premier privacy event in the Asia-Pacific region. Singapore is the host city for data protection professionals from India, the Philippines, Hong Kong, China, Taiwan, Japan, Australia, Europe and North America.
Conference goers will have the opportunity to discuss emerging privacy protection policies, transborder data flows, cross-border data breaches and how doing business in Asia involves hot-button issues in Data Protection. The two-day conference will feature topics such as: Privacy Compliance in Japan; Artificial Intelligence in E-Commerce vs. Privacy Concerns under Indian Law; and, Chinese Data Protection & Cybersecurity Reforms. Sessions will also focus on the Asia-Pacific Economic Cooperation (APEC) Privacy Framework and comparisons with GDPR implementations. https://iapp. org/conference/iapp-asia-privacyforum/ Downtown, Singapore.
What to do in Singapore Singapore offers exotic opportunities to relax and enjoy one of the most modern, well-oiled city machines in the world. It is home to impressive feats of architecture, including historical sites and natural parks. Gardens by the Bay features “super trees” which appear to come right out of an alien world. The cloud forest dome has an awesome waterfall. Visitors with an appetite will enjoy a large variety of tastes including Chinatown, Little India, and Kampong Glam, which is located in the old Arab quarter and offers a taste of the middle east in the middle of Asia. https://jonistravelling.com/2-days-insingapore/
INFORMATION GOVERNANCE WORLD
INFORMATION GOVERNANCE EVENTS
May 2 May 7-9 May 8 May 9-16 May 13-15 May 13-14 May 14-15 May 15-16 May 14-16 May 15 May 15-16 May 14-17 May 17 May 20-22 May 22-23 May 22-24 May 23
Sedona Conference Working Group 1 Midyear Meeting (Charlotte) Document Strategy Forum (Anaheim) CDO Summit (Columbia University, NYC) SANS Security West 2019 (San Dieg0) ISACA CACS 2019 North America (Anaheim) CFO Leadership Conference (Boston) DAA Digital Velocity Conference (San Diego) CAO Chief Analytics Officers & Influencers, Spring 2019 (San Diego) CLOC 19th Annual Corporate Legal Operations Institute (Las Vegas) EDRM 2019 Workshop (Durham) Chief Analytics Officers Conference (San Diego) Archiving 2019 Digitization, Preservation and Access (Lisbon) Data Monetization & Infonomics Summit (Chicago) Register at https://events.infogovworld.com MER Conference (Chicago) CIGO Conference (Chicago) ACC Global General Counsel Summit (London) CDO Event (Cambridge University)
June June June June June June June June June June June June June June June June June June
Techno Security & Digital Forensics Conference (Myrtle Beach) ARMA Canada Live 2019 (Montreal) EDI 4th Annual Electronic Discovery Institute Summer Meeting (Columbus) DGIQ Data Governance & Information Quality Conference (San Diego) CFO Alliance Technology Transformation (Newport Beach) SCCE 2019 Higher Education Compliance Conference (Orlando) 4th Annual Big Data Conference (Toronto) ISACA COBIT 2019 Overview (Tampa) AHIMA Crack The Codes: Advanced Coding Workshops (Chicago) ISSA CISO Forum (Boston) HIMSS & Health 2.0 Europe Conference (Helsinki) SANSFire 2019 (Washington DC) 2019 Internal Investigations Compliance Workshop (Orlando) Gartner Security & Risk Management Summit (National Harbor) HIMSS/Harvard Data, Insights and Strategies for the Health Enterprise (Boston) HFMA Healthcare Financial Management Association Annual Conference (Orlando) ACC 2019 Corporate Counsel University (Minneapolis) EDI 4th Annual EDI New York Meeting (New York)
2-5 3-5 5-6 3-7 6 9-12 12-13 10-13 10-13 13-14 11-13 15-22 17-19 17-20 19-21 23-26 26 27
July July July July July July July
7-10 14-15 15-16 16-18 15-18 17 27-31
IIA International Conference (Anaheim) AHIMA Clinical Documentation Improvement (CDI) Summit (Chicago) IAPP Asia Privacy Forum 2019 (Singapore) RSA APJ Conference (Singapore) ISACA Privacy and Data Protection: Intro to the Global Landscape (Boston) Data Architecture Conference (on-line) AHIMA Assembly on Education Symposium (Atlanta)
Aug Aug Aug Aug Aug Aug Aug
3 3-8 8-11 18-22 18-23 23 24-30
EDRM Technology Assisted Review (webinar) Black Hat USA (Las Vegas) DEF CON (Las Vegas) ILTACON 2019 (Lake Buena Vista) TDWI Conference (San Diego) IRMS Data Protection and Ethics (London) IFLA 85th General Conference and Assembly (Athens)
Note: events highlighted in yellow have write ups in Trade Show Section
The first magazine to cover the Information Governance market.