IG World Vol 2 * Issue 1 - Fall 2019 by IG World Magazine

INFORMATION GOVERNANCE WORLD

CYBER-STAR DR. MANSUR HASIB ON LEADERSHIP

REN LEMING ON INFORMATION ASSET REGISTERS

NEW SEDONA GUIDANCE ON LEGAL HOLDS

ADVICE FROM LEADING IG EXPERTS

KPMG LLP’S RICH KESSLER & MICHAEL HENZEY SUPERCHARGING YOUR DATA VALUE STRATEGY

BARRY MOULT

GDPR BEST PRACTICES

THE DATA LUMINARY VOL 2 • ISSUE 1 • FALL 2019

INFOGOVWORLD.COM YOUR GLOBAL IG RESOURCE®

ILONA KOTI

TRANSGENDER RECORDS TRANSITION CHALLENGES

NAGARA’S JOHNNY HADLOCK ON GROWING THE ORG POLITICS & KICKBALL

BUD PORTER-ROTH ON CLOUD CONTENT MANAGEMENT

AN N IS IVE SU RS E AR Y

DENNIS KESSLER

IG FOR PUBLIC SECTOR

1s t

EUROPEAN INVESTMENT BANK’S

DR. PATRICIA FRANKS

LINQ brings infonomics to life.

LINQ enables businesses to learn the true business value of their information, and evaluate the impact of changes to the data, systems, and processes to maximize business value.

S E E M OR E AT: WWW. L I N Q . I T

THE DATA & ANALYTICS CONSULTING FIRM

Business and IT leaders trust Caserta to help them govern and extract value from their data.

Monetize Your Information Leverage the value of your organization’s information using principles from Infonomics, authored by Caserta’s Principal Data Strategist Doug Laney. Let’s start a conversation about your data strategy. Email hello@caserta.com to speak with an expert.

PUBLISHER’S LETTER

INFOGOVWORLD.COM

PHOTO BY LILLI GARCIA

EACH TIME WE BEGIN to create a new issue, I wonder if we can put together a magazine that features IG leaders and great content that will maintain our high-quality standards. Yet once again, we have assembled a fantastic issue full of relevant and insightful content from IG superstars across the globe, so rich in content that every IG professional should be reading just to stay on top of the discipline. We are fortunate to feature Dennis Kessler of the European Investment Bank at his home in Luxembourg, just after he returned from a chairing a major event in Berlin. Dennis has been on this IG journey with me, since he somewhat accidentally ended up in one of my early IG training classes more than five years ago, and we stayed in touch. It’s wonderful to hear his insights and also to learn a bit about his private life in his interview. KPMG’s Rich Kessler (no relation to Dennis, we think) and his colleague Michael Henzey wrote a very insightful article on data value—and by the way, don’t miss the opportunity to hear Rich and I speak at our upcoming New York and San Francisco IG & Infonomics Summit events, along with Doug Laney, the infonomics guru. NAGARA’s Executive Director, Johnny Hadlock, gives us all a spark of enthusiasm as he discusses the programs he put in place which have revitalized and dramatically grown NAGARA’s membership, and we learn of his weekend warrior exploits as a kickball champ! Dr. Patricia Franks provides insights into IG in state & local government, and Aaron Bryant gives his advice on IG careers, as well as his IG objectives when at the Washington State Department of Health. We also get to know frequent contributor and IG Guru™ website honcho Andrew Ysasi, who has a string of certifications in addition to a master’s degree, and who is “all in” as a family man, and yet still finds time to mentor students. From across the pond, Barry Moult discusses GDPR best practices, and Reynold Leming lets us know 25 key benefits to information asset registers (IAR), as well as how an IAR can help with GDPR compliance. On the data privacy side, our own contributing editor Mark Driskill writes about the comparison between GDPR and California’s CCPA; and we also learn about employer compliance with the CCPA from legal eagles Justine Phillips, Jessica Gross, and Daniel Masakayan. Readers will also learn of a new privacy standard from ISO, and another privacy standard the Google vetoed. In cybersecurity, we interview rock star Dr. Mansur Hasib, and learn about his journey from CIO to earning his doctorate, and what he learned from his mother on leadership. Mark Veron lets us know about the wild but tamable world of threat intelligence, and our own Baird Brueske wrote a shocking piece on security awareness in healthcare.

In data governance, Kash Mehdi gives us four clear steps for kickstarting a data governance program. In ediscovery, we get a review of updated guidance on legal holds from the Sedona Conference, by expert Brad Harris. In records management, expert Paula Lederman writes on the reasons why IG takes time, and Ilona Koti shines a light on the challenges of maintaining accurate vital records for transgender people. And my longtime colleague from the Bay area, Bud Porter-Roth, tells us of the challenges and pitfalls in moving content to the cloud, and gives us serious issues to think about in that process. Happy reading!

Robert Smallwood CEO & Publisher Please send your comments, suggestions, and story ideas to me at Robert@infogovworld.com

Information Governance & Infonomic$ Summit The path to leveraging information value: From Information Governance to Infonomics

When: December 4, 8am-5pm Reception & Book Signing 5pm-6pm

Where: The Marker Hotel, San Francisco Who is Invited: C-level Executives & IG Leaders The Marker Hotel

Special Appearance by Doug Laney, author of Infonomics

“Effective Information Governance (IG) programs improve operational efficiency and compliance capabilities while leveraging information as an asset to maximize its value. Active IG programs are the hallmark of well-manag ed organizatio ns, and increasingly IG has become an imperative, especially for global enterprises.” —From Chapter One

The Second Edition of Information Governanc e continues to offer a guide to the imperative big picture for implementing IG, with actionable steps to reduce formation risk, improve incompliance capabilities , and leverage information value. Information Governance is filled with much-need ed advice and practical for compliance and risk strategies managers, operations managers, corporate corporate records managers, counsel, legal administrators, information technology managers, archivists, knowledge managers, and information governance professiona ls. Information Governance features major contribution INFORMATION s from these leading experts the field: in GOVERNANCE WORLD

ver Design: Wiley ver Image: © style_TTT/

Baird Brueseke Monica Crocker

Second Edition

Barclay Blair Charmaine Brooks Dr. Patricia Franks Doug Laney Andrew Ysasi

Randolph Kahn, Esq. Darra Hoffman Bassam Zarkout

INFORMATION GOVERNANCE CONCEPTS, STRATEGIES AND BEST PRACTICES

Shutterstock

scribe to our free Finance and Investing eNewsletter iley.com/enewslet ters

$95.00 USA / $114.00

CAN

Neil Calvert, LINQ Infonomics Solutions

Robert Smallwood, Institute for Information Governance

Second Edition

wileyfinance.com

Robert F. Smallwood

with leading experts

here has been a “perfect storm” of sorts that fueled concerns for information privacy, data protection, and regulatory compliance. The 2018 EU General Data Protection Regulation (GDPR), amidst the drumbeat of colossal data breaches and major privacy violations, ignited a wave of increased activity in the field of information governance (IG). In today’s environment , it is vital that business managers have a clear understanding of the methods and best practices used to control and secure information, and the opportunitie s to leverage information asset value. That requires an effective IG program.

Cost: $495. Includes continental breakfast, lunch, coffee breaks, a cocktail reception, and a copy of Laney’s Infonomics. By invitation only. Request yours today by emailing events@infogovworld.com.

The revised and updated Second Edition of Information Governance

offers an important guide that reviews the basic concepts of IG, defines what it is (and what it is not), explains how to justify and implement an IG program, and explores ways to secure and control information while maximizing its value using infonomics principles. The discipline of IG covers a range of components: privacy, cybersecurity, e-discovery and law, records managemen t, compliance, information technology, risk management, business operations, and more. Filled with illustrative examples and written in clear language, Information Governance addresses the many aspects of IG with actionable strategies and proven best practices. Written by a noted expert in the field with contributions from a number of industry pioneers and experts, Information Governance explains how to plan and manage a cohesive and (continued on back flap)

MEDIA SPONSOR

Eli Zukovsky, Haystac

Is data the new oil? Join us and key C-level executives to understand how to navigate the journey to harvesting newfound information value. You’ll learn the principles and formulas for monetizing information from Doug Laney’s groundbreaking book, Infonomics. We’ll have insightful presentations and panel discussions, including a group lunch, then conclude with a book signing by Doug Laney and also Robert Smallwood who will sign the new edition of his book, Information Governance, Tduring a catered cocktail reception where you can network with peer executives and industry leaders. The event will be held at the elegant Michelangelo Hotel, a treasure in NYC.

Smallwood

INFORMATION GOVERNANC E CONCEPTS, STRATEGIES AND BEST PRACTIC

Pr ove n a n d e m e r ging strategies fo r i m p l e m e n t i n g infor mat ion gove rnanc e progr ams u s i n g b e s t p r ac t ices

Richard Kessler, KPMG

CONTENTS INFORMATION GOVERNANCE IN SOCIETY 10 2019 NAGARA Annual Conference | 35th Anniversary year, St. Paul, MN

ANALYTICS & INFONOMICS 50 Supercharging Your Data Management Strategy with Value By Richard Kessler and Michael Henzey

INFORMATION GOVERNANCE PUBLIC SECTOR 12 Information Governance & Digital Transformation for Local & State Government by Dr. Patricia Franks 15 An Interview with Aaron Bryant 20 A Sit-Down with NAGARA Leader Johnny Hadlock

RISK & COMPLIANCE 52 GDPR Best Practices: A Pragmatic Approach by Barry Moult 55 An IAR is good for GDPR! by Reynold Leming 56 Collaboration Tools have an IG Problem by Baird Brueseke 58 Employee Privacy by Design: Guidance for Employers Beginning to Comply with the California Consumer Privacy Act By Justine Phillips, Jessica Gross and Daniel Masakayan

INFORMATION GOVERNANCE BEST PRACTICES 24 Chapter #1 The Information Governance Imperative 27 25 Exciting things to do with an Information Asset Register by Reynold Leming INFORMATION PRIVACY 30 Is CCPA Just a “Mini GDPR”? by Mark Driskill 32 CEOs from Big Tech Ask Congress to Pass Federal Data Privacy Law INFORMATION SECURITY 34 An Interview with Dr. Mansur Hasib, Cybersecurity Leader 37 Healthcare Workers Often Not Trained in Cybersecurity Awareness by Baird Brueseke 38 Phishing Attacks are Morphing – Changing to Bypass Security Tools by Baird Brueseke 39 The Wild But Tamable World of Threat Intelligence by Mark Veron COVER STORY 40 The Data Luminary: Dennis Kessler of the European Investment Bank by Robert Smallwood

INFOGOVWORLD.COM

LEGAL & EDISCOVERY 62 The Sedona Conference Offers Updated Guidance on Legal Holds by Brad Harris RECORDS & INFORMATION MANAGEMENT 66 Interview w/ Andrew Ysasi 69 Transitory Records by Ilona Koti 72 Not a Six Week Project by Paula Lederman

DATA GOVERNANCE 74 4 Best Practices to Kickstart a DG Program by Kash Mehdi CONTENT SERVICES 78 Cloud Content Management: Cleanup on Aisle 4 by Bud Porter-Roth 80 INFORMATION GOVERNANCE TRADE SHOWS 82 INFORMATION GOVERNANCE EVENTS

ON THE COVER: Caption to go here. Caption to go here. Caption to go here. Caption to go here. Caption to go here. Caption to go here. Caption to go here. Caption to go here. Caption to go here. Caption to go here.

INFORMATION GOVERNANCE WORLD

YOUR GLOBAL IG RESOURCE®

infogovworld.com VOLUME #2 ISSUE #5 FALL 2019

INFORMATION GOVERNANCE WORLD

OZ ALASHE ON ANALYTICS GDPR ONE YEAR & CYBERSECURITY LATER W/ RICHARD HOGG ADVICE FROM LEADING IG EXPERTS

JASON R. BARON

ON RIM’S MAJOR THREAT

CEO & PUBLISHER

NICOLAS ECONOMOU

Robert Smallwood

AI’S ROLE IN E-DISCOVERY

SONIA LUNA

ON COSO & RISK MANAGEMENT

CHIEF OPERATING OFFICER

NATHANIEL PALMER

Baird Brueseke

IG & INTELLIGENT AUTOMATION

HEIDI MAHER

CREATIVE DIRECTOR

Kenny Boyer

JOHN ISAZA

ON GLOBAL RIM COMPLIANCE

HER VISION FOR CGOC + IG & DATA PRIVACY BENCHMARKS

VP OF BUSINESS DEVELOPMENT

Dan Adams

VOL 1 • ISSUE 3 SUMMER 2019

INFOGOVWORLD.COM

CONTRIBUTING EDITORS

YOUR GLOBAL IG RESOURCE®

Mark Driskill, Martin Keen, Dan O’Brien CONTRIBUTING WRITERS

Baird Brueseke, Mark Driskill, Patricia Franks, Jessica Gross, Brad Harris, Michael Henzey, Richard Kessler, Ilona Koti, Paula Lederman, Reynold Leming, Daniel Masakayan, Kash Mehdi, Barry Moult, Justine Phillips, Bud Porter-Roth, Robert Smallwood, Mark Veron, Andrew Ysasi CONTRIBUTING PHOTOGRAPHERS

Aaron Bryant, Bo Hallengren, Johnny Hadlock, Brad Harris, Mansur Hasib, Brian Lau, Kash Mehdi, Meg Phillips, Katie Willey, Andrew Ysasi

Check us out online and sign up today for a free digital subscription to Information Governance World magazine. Print subscriptions for the quarterly mag are $49/year, or $195 for five team members.

SPECIAL THANKS TO INTERVIEWEES:

Aaron Bryant, Johnny Hadlock, Mansur Hasib, Dennis Kessler, Andrew Ysasi

2358 University Ave # 488, San Diego, CA 92104

infogovworld.com 1.888.325.5914

YOUR GLOBAL IG RESOURCE®

888-325-5914

subscribe.infogovworld.com

INFORMATION GOVERNANCE

Information Governance:

A PRIMER

ccording to the Sedona Conference, Information Governance (IG) is about minimizing information risks and costs while maximizing information value. This is a compact way to convey the key aims of IG programs. The definition of IG can be distilled further. An even more succinct “elevator pitch” definition of IG is, “security, control, and optimization” of information. This is a short definition that anyone can remember. It is a useful one for communicating the basics of IG to executives. To go into more detail: This definition means that information—particularly confidential, personal, or other sensitive information—is kept secure. It means that your organizational IG processes control who has access to which information, and when. And it means that information that no longer has business value is destroyed and the most valuable information is leveraged to provide new insights and value. In other words, it is optimized. IG PROGRAMS REQUIRE CROSS-FUNCTIONAL COLLABORATION IG involves coordination between data privacy, information security, IT, legal and litigation/e-discovery, risk management, business records management functions, and more. It is a complex, amalgamated discipline, as it is made up of multiple sub-disciplines. IG must be driven from the top down by a strong executive sponsor, with day-to-day management by an IG Lead, which is a person who could come from one of the major sub-disciplines of IG. The IG lead could come from IT, cyber-security, privacy, RIM, analytics, legal, operations, or related disciplines. THE KEY DIFFERENCES BETWEEN DATA GOVERNANCE & INFORMATION GOVERNANCE Data Governance (DG) and Information Governance (IG) are often confused. They are distinct disciplines, but DG is a subset of IG, and should be a part of an overall IG program. DG is the most rudimentary level to implement IG, and often DG programs provide the springboard for IG programs. Data governance entails maintaining clean, unique (non-duplicate), structured data (in databases). Structured data is typically about 10%-20% of the total amount of information stored in an organization.

INFOGOVWORLD.COM

“

An even more succinct “elevator pitch” definition of IG is, “security, control, and optimization” of information.” DG includes data modeling and data security, and also utilizes data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and deduplication, to eliminate redundant occurrences of data. Data Governance focuses on data quality from the ground up at the lowest or root level, so that subsequent clinical assessments, reports, analyses, and conclusions are based on clean, reliable, trusted data in database tables. THE CHALLENGE: MANAGING UNSTRUCTURED INFORMATION Unstructured information is the vast majority of information that organizations struggle to manage. Unstructured information generally lacks detailed metadata and includes scanned images, email messages, word processing documents, PDF documents, presentation slides, spreadsheets, audio recordings, video files, and the like. Unstructured information is more challenging to manage than structured information in databases, and is the primary focus of IG programs. IG is much more broad and far-reaching than DG. IG programs include the overarching policies and processes to optimize and leverage information as an asset across functional silos while keeping it secure and meeting legal and privacy obligations. These IG program aims should always be in alignment with stated organizational business objectives.

For more information about becoming a Certified Records Manager or Certified Records Analyst contact (518) 463-8644 or visit www.icrm.org

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE

SOCIETY

2019 NAGARA Annual Conference | 35th Anniversary year, St. Paul, MN NAGARA held its largest ever annual conference for its 35th anniversary, with over 300 attendees at the InterContinental St. Paul Riverfront Hotel in St. Paul, MN. Kudos to the NAGARA Team for their vision and drive in making the conference a great success for all who attended. Conference attendees enjoy NAGARA’s Closing Evening Reception, an 80’s themed river boat cruise to celebrate NAGARA’s 1984 ‘birthday’!

CONTRIBUTED PHOTOS This year’s conference, held at the InterContinental Saint Paul Riverfront hotel, was the second time NAGARA has hosted an annual conference in the Land of 10,000 Lakes.

NARA’s Meg Phillips captured this picture of Executive Director Johnny Hadlock and wondered out loud if NAGARA as an organization has picked up a bit of his gregarious energy and personality.

Attendees listen to one of four keynote speakers who presented during the two-and-a-half day event.

Attendees enjoy one of the 22 educational sessions offered during the conference. All sessions covered salient topics geared towards government archivists and records managers.

Over 300 individuals attended the 2019 NAGARA Annual Conference – making it the highest attended annual conference in NAGARA’s 35-year history!

INFOGOVWORLD.COM

News

RECENT NEW ALLEGATIONS AND SETTLEMENTS BY GOOGLE RAISE PRIVACY CONCERNS

In early September of 2019, Brave’s Chief Policy Officer, Dr. Johnny Ryan suspected that Google was circumventing its own GDPR policies by tracking users. Brave is a search engine competitor to Google. Dr. Ryan has been campaigning very publicly against Google, and according to Ryan, Google has created a system of web tracking that will enable it to keep its online advertising model as profitable as possible. The story was first reported in the Financial Times. Several news outlets including TNW (TheNextWeb.com) and TechSpot have picked up the story as well. These allegations are concerning considering GDPR requires that users consent to be tracked. Ryan’s evidence reportedly shows Google had “labeled him with an identifying tracker that it fed to third-party companies that logged on to a hidden web page.” Ryan has handed over his findings to the Irish data regulator, and according to reports, Google is cooperating with the investigation. If the regulator finds that Google has violated GDPR, it will likely be hit with further fines. It is important to note that Brave is a competitor to Google and markets itself as a privacy-friendly browser. Further, according to the report Google has denied tracking users and will cooperate with the Irish investigation. Also, in September, Google’s YouTube recently agreed to settle with the FTC for $170 Million in the United States for personalizing ads to children under the age of 13 via YouTube. YouTube CEO Susan

Wojcicki, in a blog post, said that in early 2020 they would treat data as “anyone watching children’s content on YouTube as coming from a child, regardless of the age of the user.” YouTube will also stop serving personalized ads on this content entirely, and it will disable certain features on this type of material, like comments and notifications. While these privacy allegations and issues are concerning, is it possible that Google is too big to roll out privacy protections? COPPA or the Children’s Online Privacy and Protection Act took effect in 2000 to protect online privacy for children. COPPA and those close to the regulation recognize it is much older than GDPR and are surprised by Google’s lack of awareness or ability to fully comply. While the rush to learn about GDPR, or to play preverbal chicken with regulators in the EU is understandable, personalizing ads for children under 13 seems like a new low. The fine will likely do little to hurt Google financially, but it tells big tech companies that the FTC is not turning a blind eye to Google. With GDPR, Google and other big tech companies will likely continue to be in the crosshairs of regulators. Earlier this month, Mark Zuckerberg boasted a likely legal victory towards US Presidential democratic candidates who wish to break up big tech firms. With billions on the line, and privacy regulations growing fast in free-market countries, it is likely big tech companies, and regulatory enforcers will continue to cross paths. INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE

PUBLIC SECTOR Information Governance & Digital Transformation for Local & State Government Big Data, Analytics, AI Blockchain

Business Systems

SaaS GIS

Records

Social Media

Mobile Apps Data IoT E-mail Websites Information

THE MANY-HEADED HYDRA

Figure 1: Based on the term introduced by Venkatesh Rao in â&#x20AC;&#x153;The End of Pax Papyra and the Fall of Big Paper,â&#x20AC;? Forbes, 2012.

BY DR. PATRICIA FRANKS

he trend toward digital transformation has been embraced as a way to improve efficiencies and satisfy both government worker and citizen expectations. Information Governance is the approach that can coordinate efforts and drive efficiencies promised through digital transformation for both the government workforce and citizens. INFORMATION GOVERNANCE The task of governing data and information is becoming increasingly difficult. IDC predicts the global datasphere

INFOGOVWORLD.COM

will grow from 33 zettabytes in 2018 to 175 by 20251. The challenges presented by the volume of data are compounded by the myriad of data formats as well as devices and systems used to create and store it. In 2012, a Forbes contributor used the term digital hydra to describe the multiple ways in which digital data is created, a term more appropriate today than ever (see Figure 1). What was once the responsibility of the records and information manager has now, of necessity, become a team project. The Information Governance Reference Model emphasizes collaboration among key stakeholders including

business users, IT, legal, privacy, cybersecurity, risk, and regulatory departments at a minimum.2 Teams involved in digital transformation initiatives must not only ask, “How can technology be utilized to improve our existing process?” but also, “How can our existing processes be transformed to make the most of our technology investments?” The answer to this last question promises to bring the most transformative experiences. STATE AND LOCAL GOVERNMENT CONTEXT “The term digital transformation refers to the evolution of business activities, workflows, and processes to leverage the latest trends in digital technology and the impact such innovations are having on society.”3 Unfortunately, digital transformation below the federal level in the U.S. is restrained by a complex governmental structure: 50 states and 19,000 cities, towns and villages, each with some level of decisionmaking when it comes to enacting governing legislation.4 This means that while it is unlikely that a strategy employed by one entity and replicated “as is” by another will be successful, state and local governments have common goals and can learn from one another. EXAMPLES OF STATE & LOCAL GOVERNMENT DIGITAL TRANSFORMATION Here are some prime examples of activities and technologies state and local governments employ to maximize the value of their information while minimizing associated risks and costs. 1. Real-Time GIS to Manage Tours & Equine Waste Challenge: Over 41,000 horsedrawn carriage tours were conducted in in the City of Charleston,

South Carolina, in 2018 alone. While popular with tourists, equine urine smells generated complaints by citizens and business owners. A city ordinance on diapering and sanitation communication requires every animal-drawn Figure 2: The Assessor’s Portal providing access to the public. vehicle be equipped with a two-way communication system, a GPS unit, and digital flags management and agile software to be dropped to identify areas in development competency, and begin need of sanitation.5 According to the change management process the one estimate, only 25% of such new system would require. incidences were reported. Solution: The Assessor’s Portal, Solution: A real-time GIS system displays data originating in the legacy called Carriage Alerts Mapping system through a new interface. Platform (CAMP) now provides GIS and mapping functionality drivers with one-click GPS devices to are provided by ESRI, Google, and report locations in real-time. An Esri EagleView/Pictometry JavaScript GeoEvent Server processes locations APIs. The Portal integrates with and generates notifications to the the Department’s document sanitation crew, and an operations management and file scanning dashboard allows monitoring and initiative (which digitized 2.4 million managing of the required workflows. parcel files containing approximately 10 million pieces of paper). Results: Improved sanitation crew and carriage operator communications and Results: The Assessor Portal, reduced sanitation response times.6 completed in nine months, is shared with all other County Departments, 2. Creating a Modern Interface to including the Registrar Recorder Legacy Assessment information for deeds, Public Works for building plans and permits, and Challenge: The Assessor’s Office of the Tax Collector for payment and the County of Los Angeles provides delinquency information.7 A lightly assessment information for over redacted version of the Portal is 2.4 million properties. The Office available for the public (see Figure 2). planned an Assessment Modernization Project (AMP) to replace a legacy 3. Increasing Voter Participation system built on 1970s mainframe through blockchain-based e-voting technology. Because it would take approximately eight years to complete, Challenge: Only 18% of West the department decided to enhance Virginia’s 2 million military service its legacy system, demonstrate project members and their families reported INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | PUBLIC SECTOR receiving ballots in 2016; 11% were counted due to rejections and tardy ballots. The State’s elections director believed blockchain technology could increase overseas voter participation.8 Solution: The first instance of remote blockchain voting in the US was announced by the Secretary of State Mac Warner in 2018. During the 2018 midterm elections, 144 military personnel stationed overseas in 24 countries were able to cast their ballots using a mobile, blockchain-based platform called Voatz. Although not seen as a solution for mainstream voting by Warner, it could be a vehicle to increase participation by service members and their families stationed overseas. Results: The 2018 pilot was considered a success. West Virginia will allow blockchain voting for service members stationed outside of the country in the 2020 presidential elections. 4. Bouncing Back from Ransomware: taking a Disaster Recovery Approach Challenge: In February 2018, the Colorado Department of Transportation (CDOT) suffered a SamSam ransomware attack that encrypted nearly 2,000 computers, servers and network devices. Fortunately, transportation operations were not impacted, but finance and payroll operations were.

Solution: A coordinated approach to recovering from the attack was initiated by then-Gov. John Hickenlooper, who declared a statewide emergency, enabling officials to seek assistance from the National Guard and other states. Kevin Klein, Colorado’s Director of Homeland Security and Emergency Management, was brought in to coordinate emergency operations. Results: The state of Colorado spent about $1.5 million to recover from the incident, but the approach proved effective. About 80 percent of CDOT’s systems were recovered within a month of the initial attack. Since then, other governments hit by ransomware attacks have issued disaster declarations and many are conducting simulated cyberattacks along with natural disaster drills.9 5.Connecting with Citizens through Social Media Challenge: The Los Angeles police department’s social media goal is to protect and improve the overall reputation of the police department. In July of 2018, a Los Angeles police officer shot and killed a Trader Joe’s employee during an exchange of gunfire with an attempted murder suspect. Social media users were quick to jump to conclusions based on insufficient information. Solution: The LAPD’s social media team, tracking negative sentiment in real time, urged leaders to release

body camera footage to citizens. Overturning a policy that could take more than a month to release this type of video, leaders released the video to the press and had it posted on social media within 48 hours. Results: This proactive approach kept constituents informed and the police department’s reputation intact.10 DISCUSSION/CONCLUSION The examples of digital transformation provided illustrate how local and state governments are adopting the latest trends in technology to meet their needs while modifying business activities, workflows and processes to better take advantage of those innovations. Information Governance, defined as “the activities and technologies that organizations employ to maximize the value of their information while minimizing associated risks and costs,” can provide a foundation for digital transformation for government at the state and local levels.11 DR. PATRICIA C. FRANKS IS THE COORDINATOR FOR THE MASTER OF ARCHIVES AND RECORDS ADMINISTRATION DEGREE IN THE SCHOOL OF INFORMATION AT SAN JOSÉ STATE UNIVERSITY. SHE IS A CERTIFIED ARCHIVIST, CERTIFIED RECORDS MANAGER, AND INFORMATION GOVERNANCE PROFESSIONAL, AS WELL AS A MEMBER OF ARMA INTERNATIONAL’S COMPANY OF FELLOWS. AMONG HER NUMEROUS PUBLICATIONS, FRANKS IS AUTHOR OF RECORDS AND INFORMATION MANAGEMENT (2013, 2018). FRANKS CURRENTLY SERVES AS THE VICE PRESIDENT OF NAGARA, THE NATIONAL ASSOCIATION OF GOVERNMENT ARCHIVISTS AND RECORDS ADMINISTRATORS. SHE CAN BE REACHED AT PATRICIA.FRANKS@SJSU.EDU

REFERENCE: [1] Reinsel, D., Gantz, J. and Rydning, J. (2018, November) [IDC Whitepaper] The Digitization of the World—From Edge to Core. International Data Corporation (IDC). Available at https://www.seagate.com/files/www-content/our-story/trends/files/idc-seagate-dataage-whitepaper.pdf Last accessed September 21, 2019. [2] EDRM. (n.d.) “Information Governance Reference Model (IGRM), Duke Law. Available at https://www.edrm.net/frameworks-and-standards/informationgovernance-reference-model/ Last accessed September 21, 2019. [3] Sebree B. How Society’s Digital Transformation is Impacting Local Government. Available online at https://www.civicplus.com/blog/ce/how-digital-transformation-is-impacting-local-government Last accessed September 21, 2019. [4] NLC (2019). 2018 NLC Annual Report. National League of Cities. Washington, DC: National League of Cities. Available at https://www.nlc.org/sites/default/files/2019-05/2018-NLC-Annual-ReportFINAL.pdf Last accessed September 18, 2019. [5] City Council. (2019, July 31). Code of the City of Charleston, South Carolina, Chapter 29 – Tourism, Article V. – Transportation by animal – Drawn vehicles for purposes of touring, Sec. 29-209. - Diapering apparatus and sanitation communication required. [6] Available online at: https://library.municode.com/sc/charleston/codes/code_of_ordinances?nodeId=CICO_CH29TO_ARTVTRANAWVEPUTO Last accessed September 21, 2019. [7] City of Charleston. (2019, May 14). Carriage Alerts Mapping Platform: Real-time GIS to Manage Tours & Equine Waste. 2019 URISA Single Process Systems ESIG Award Application. Available at https://www.urisa.org/clientuploads/directory/Documents/ESIG/2019%20Winners/CityOfCharleston.pdf Last accessed September 21, 2019. [8] County of Los Angeles, Office of the Assessor. (2018, June 4). 2018 URISA Exemplary Systems in Government (ESIG) Award Submission. Available at MIT Technology Review. (2019, April 18). West Virginia will allow “blockchain voting” in the 2020 election. That’s a risky idea. Available at https://www.technologyreview. com/f/613358/west-virginia-will-allow-blockchain-voting-in-the-2020-election-thats-a-risky/ Last accessed September 21, 2019. [9] Freed, B. (2019, May 15). What Colorado learned from treating a cyberattack like a disaster. StateScoop. Available at: https://statescoop.com/what-colorado-learned-from-treating-a-cyberattack-like-adisaster/ Last accessed September 21, 2019. [10] Hootsuite. (2019). The State of Social Media in Government. [Report]. Available at https://hootsuite.com/resources/ the-state-of-social-media-in-government-in-2019 Last accessed September 21, 2019. [11] IGI. (2014, August 1). IGI’s Definition of Information Governance. Available at http://iginitiative.com/resources/igis-definition-information-governance-2/ Last accessed September 21, 2019.

INFOGOVWORLD.COM

IGW: Where did you grow up, and go to school? AB: I was born and raised in Gaithersburg Maryland. I graduated from Seneca Valley HS, Home of the Screaming Eagles in Germantown, Md. What are some of your fondest memories from childhood? My fondest memories of my childhood were spending time with my friends during the summer months. We would often spend our time hanging out by the pool. I can also recall the summer days of my childhood being carefree and relaxing.

An Interview with AARON BRYANT Former CIGO, WA Department of Health

aron Bryant is an executive-level professional in RIM and IG, and is also certified as a Project Management Professional (PMP). For over a decade he has helped to develop RIM strategies to mitigate risk and reduce costs for Fortune 500 companies in the retail, legal, finance, hospitality and most recently, healthcare, verticals. Mr. Bryantâ&#x20AC;&#x2122;s expansive knowledge and expertise in RIM is evident in the body of his work, as he has established a consistent track record for helping organizations leverage their information to benefit all aspects of their success. We spoke with him near his home in the Seattle area.

What prompted you to go back to school at the university level, and to eventually earn your MBA? After serving time in the military and law enforcement, I felt that I needed to advance my skill level to better myself both personally and professionally. My graduate focus was on Management and Strategy; which allowed me to advance my critical thinking skills, better assist organizations and align their Information Governance goals with the overall company strategy. How did you get into the records management profession? There was a period in my career where I worked for a small consulting company that designed software for document control. During the peak of the ENRON and Arthur Anderson incidents I had a conversation with an individual and we began INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | PUBLIC SECTOR to discuss the future of document management. I became inquisitive and began to do my research and I started to gather information on disposing information and I also paid attention to the uprising issues of life cycle management of information. The research I had done on these issues led me to the field of records management. What sparked your interest and how did you move into the IG side of the business? Earlier in my career, I found that records management only dealt with a small subset of information life cycle management. I naturally became interested in managing information that fell outside of the definition of a record. I saw the opportunity through a holistic approach to the management of information and felt that with the adequate framework; I can show organizations how to transform their information into an asset with proper governance control. You’ve worked in a variety of industries, including stops at Whole Foods, Hyatt Hotels, two law firms, and now the Washington State Department of Health—what commonalities did you find in those varying environments? There were opportunities to value information as an asset in each of those verticals. Another commonality was the approach to designing an IG framework. An individual can apply the same stakeholder gathering, requirement gathering, and business analysis processes to initiate the information governance program. Also, across these verticals, there will always be a need for policies and procedures. What are the major differences? A major difference in each vertical were the myriad of laws, rules and regulations that were relevant to that industry. Most importantly, the difference in corporate cultures makes for IG challenges. Information Governance began in 16

INFOGOVWORLD.COM

the health sector at the National Health Service in the UK. As an IG professional, what challenges have you found specific to healthcare administration? As an IG professional in healthcare administration, the greatest challenge I found was the large amount of data that is collected, shared, and used across the organization. Another challenge is the proper management and control of data as it is brought into the organization. Due to the amount and veracity of the information that is coming into the organization, it is a challenge to apply best practices without the proper organizational framework regarding the governance of information. What were your primary goals for the Washington State Department of Health in your IG management position there? During my time at Washington State Department of Health; my primary goals were to implement policies and procedures that dealt with the life cycle management, data sharing, and data management. Another goal I had was to increase the capabilities of the agency in order to decrease cost and mitigate the inherent risks of managing the healthcare information of the citizens of the State of Washington. What advice would you give to IG professionals just starting out? For the IG professionals that are just starting out; I would advise that they become a quick study of all the different aspects of IG. These aspects include security, privacy, risk, IT, legal, RIM—and more. A broad understanding and the ability to work with others with more knowledge and experience in these fields is a soft skill that is warranted. Also, my personal advice to be a jack of trades and master of none. What hobbies or special skills do you have that might surprise your colleagues? I am a DJ/Music Producer and I had radio shows on 91.7 KOOP in Austin

“

...my personal advice to be a jack of trades and master of none.” Texas and 89.3 KAOS in Olympia, WA. I aspire to create music for television and movies in the future. What do you miss about living in Chicago? What I miss most about Chicago is the walkability of the city. I lived in downtown Chicago and I would walk everywhere that I needed or wanted to go. I was able to see parts of the city that I would think that people never saw. It was a great feeling to be among the tall buildings and other people as they traveled in and out of the city, and I miss it a lot. What do you like most about living in Washington state? Living in Washington State and has allowed me to reconnect with nature. It was a big difference coming to Washington from Chicago, but I quickly became acclimated to the weather and culture of the Pacific Northwest. Also, the coffee! Aaron may be reached at mrabryant9@gmail.com

News

VERMONT MOVING FORWARD WITH BLOCKCHAIN

STATES DRAFTING NEW PRIVACY LAWS WITH LITTLE SUCCESS

For decades, trust between state governments and the people they serve has been declining. While the debate about ‘why’ will likely continue, declining trust in government could eventually lead to a breakdown in civil order. When a citizen conducts business with their government, they expect the information they receive to be accurate and trusted. Additionally, a citizen expects that as the government uses their information, Consumer concerns over the collection it will be secure and free from hacker eyes. Often, the only assurance that electronic information is and sale of personal data led to a secure comes from the social capital built up between the government and the people. Today, state burst of consumer data privacy bills in governments have a new tool in their collection of public accountability assurances—blockchain. 2019, as state legislatures vied to follow Blockchain, or more specifically, Distributed Ledger Technology (DLT), first gained popularity California’s lead in giving users more in 2009. Until very recently, its primary use had been the facilitation of Bitcoin currency control of personal information. propagation and transfers. In very broad terms, each time the Bitcoin moves from But well-funded tech giants and other business one digital locker to another, details about that move go with the Bitcoin in a concerns have put up major resources to oppose the permanent electronic ledger. This creates a record about all transactions bills, and California is still trying to amend details of its and transfers that specific Bitcoin has been a part of. This record data privacy law before it takes effect next year. Only three cannot be altered in anyway without disrupting the integrity of Bitcoin. states actually enacted new privacy laws, out of the 24 states that The secure environment created by DLT can be used as a type of considered them; Nevada, Illinois, and Maine enacted new laws. “asset database that can be shared across a network of multiple sites.” The pressure for new legislation is building, since a $5 billion fine Each time the ledger adds another “block” to the record it does so with a against Facebook for privacy violations and a $700 million settlement cryptographic signature. This signature is a permanent part of the ledger. with Equifax over data breaches have brought even more public This way of electronically indicating who had the Bitcoin at what attention to the issue. Also, the documentary Hacked continued the specific time can be used for other applications, including, “online drumbeat of revelations about election manipulations by Cambridge voting, medical records, insurance policies, property and real estate Analytica, which used personal data to profile voters. records, copyrights and licenses, and supply chain tracking. They can also include smart contracts, where payouts between the contracted parties are embedded in the blockchain.” This is particularly useful in state and local governments who otherwise deal directly with the public on a regular basis. In 2018, Vermont, introduced “blockchain-based LLCs… a legal structure that memorializes the liability and fiduciary duties unique to some blockchain businesses.” In 2019, Vermont began a pilot program for accepting insurance filings using DLT. This would not work without an underlying regulatory framework supporting it. In short, “the legal system must recognize DLT as a court-support means of authenticating Despite enthusiasm for more privacy rules by legislators and their records.” Vermont’s recordkeeping rules now constituents, many states found themselves hamstrung with balancing include self-authenticating DLT supported privacy concerns against business growth. Also tech giants like Google, records, “admissible when accompanied by a Amazon, and Facebook outspent privacy lobbyists and pushed for a written declaration by a qualified person.” In national approach, arguing that one federal standard like Europe’s 2018 Vermont, these business records fall under the General Data Protection Regulation would be fairer and stronger. But in business records exception for hearsay. This all likelihood these tech giants want a more watered-down version of spurs business and entrepreneurial growth GDPR, if federal legislation passes at all. because more clarity brings less risk. Many states are waiting for California to settle its last-minute quarreling As other states address the use of over details in the its law, before setting their own policies. California passed DLT to authenticate records, it should be a bill under time pressure in June 2018, giving consumers the right to see noted that underneath the public face any of their data collected by a company or website, and the ability to opt out of government is a set of laws and of having it sold to third parties. Governor Jerry Brown signed it into law. But regulations that support how the many amendments fine-tuning the law are still pending with a deadline of government serves citizens. September for the legislature to pass them. INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | PUBLIC SECTOR News

LOCAL US GOVERNMENTS UNDER CYBER SIEGE BY ANDREW YSASI

The summer of 2019 continued to be devastating to local governments under siege from hackers and malware. The Texas Department of Information Resources is investigating over 20 attacks on mostly rural Texas towns. Further, this trend does not appear to be slowing down. Attacks on municipalities have more than doubled in 2019. There is no discrimination in the size of cities dealing with breaches. Baltimore suffered an attack late spring that crippled the entire town. Further, two cities in Florida paid over $1M to have their data unlocked. Mayors of large cities, such as Atlanta Mayor Keisha Bottoms, are pushing for the federal government to step in and help. According to a CNBC article on June 27th, 2019 Bottoms said, “The federal government should ... expand programs that share real-time threat information, which is often critical in avoiding and mitigating threats. We should also have federal programs in place to provide cybersecurity disaster-relief funding. This will help offset recovery costs borne locally.” What can these cities do to protect themselves? First, recognizing the problem is real is the crucial first step. Second, ensuring insurance policies are reviewed to ensure cyber threats are covered is essential. Also, understanding the risk appetite of the municipality, where vital records are stored (electronic and physical), how quickly data can be restored to a usable state, testing the effectiveness of backups, assessing vendor capabilities, having backup processes, ensuring the IT support system has the funding necessary to respond to an attack, and having an actual plan are all critically important.

Gone are the days of the “wait and see” mentality related to cyber threats to municipalities. The CIO of the Mat-Su area in Alaska, Eric Wyatt, repeatedly asked for additional funding for his inadequate IT budget to improve security. It was only after an attack that he saw his budget skyrocket. Why wait for a debilitating cyber-attack to invest in cybersecurity? It makes much more sense to spend tax dollars in local technology infrastructures than paying a significant ransom to a likely overseas attacker. 18

INFOGOVWORLD.COM

RANSOMWARE ATTACKS HIT MUNICIPALITIES Municipal governments report a continued increase in ransomware attacks, while the US federal government offers little assistance. Hackers downed a help line during a major snow storm in Akron, Ohio, late last year, and froze the city of Baltimore’s computer networks for months earlier this year. Then, in August, coordinated ransomware attacks against 23 cities in Texas were carried out. Ransomware is an attack method using malware that encrypts data until the target/victim pays a “ransom” to regain access. Typical ransomware tactics involve freezing access to data until a few hundred dollars is paid in Bitcoin. But new ransomware strains like “Ryuk” and “SamSam” are now being used which infect an entire organization’s computing system, and the price asked for ending the ransomware attack increase exponentially. Legislators in Washington, D.C. have offered little in the way of federal help for states and local governments under cyberattack. However, in late September, the Senate approved new legislation aimed at protecting local cities and schools from ransomware attacks. The proposed, “DHS Cyber Hunt and Incident Response Teams Act,” authorizes the Department of Homeland Security (DHS) to create “incident response teams” to help organizations battle ransomware attacks. That means that the DHS would create teams to protect state and local entities from cyber threats and restore infrastructure that has been affected by ransomware attacks. Too many municipalities remain unprepared for today’s threat-environment, with inconsistent software updates, weak IT departments, and a pattern of selecting the insurer-paid option when confronted with the cost of restoring systems from the ground up. Despite the current advice of the FBI, for instance, Lake City, Florida paid its ransomware attackers over $460,000 in Bitcoin this year, and Riviera Beach, Florida paid around $600,000 to regain access to its systems. Baltimore is trying to recover from what may be the most expensive ransomware attack ever for a state or local government in the US. The City refused to pay a ransom but will spend up to $18.2 million to restore its systems.

NEVADA JOINS THE PRIVACY PUSH The California Consumer Privacy Act (CCPA) of 2018 started something. Lawmakers across the USA are now thinking about data privacy and how consumer personally identifiable information (PII) can be secured, controlled, and governed. Using the CCPA as a template, considerations include how personal data is collected, stored, analyzed, and sold. And from a revenue standpoint, lawmakers are looking for ways to fairly tax the sale of personal data for commercial use to plug budget gaps. Nevada appears to be the latest to create a new law aimed at protecting consumers. Following in the footsteps of the CCPA, Nevada is poised to create a right to “opt out” for consumers of the sale of their personal information. Most importantly, this new requirement in Nevada will be enforceable on October 1, 2019, three months before the CCPA takes effect. There is an interesting synergy here, as many businesses preparing to comply with the CCPA will also have to take into consideration Nevada new opt-out policy. SO WHAT? This isn’t new news in the State of Nevada. This new opt-out right expands on an existing online privacy law enacted 2017. This original law applied to website operators and other online services who collected relevant personal information from customers in Nevada. This previous requirement necessitated that websites offered a privacy policy containing: 1. Categories of covered information collected 2. Categories of third parties with whom the operator shares covered information 3. A process for consumers to review

and request changes to their covered information 4. A process for the notification of material changes to the notice 5. Whether the operator collects covered information concerning an individual consumer’s online activities. This new opt-out right (SB-220) allows “consumers to direct an operator to not make any sales of covered information that the operator has collected, or will collect, regarding the consumer.” Once this kind of request is made, an operated is prohibited from making a sale; and these requests require a designated request address set up by the operator in order to file them. There are some important terms in SB-220 that are worth considering: • A “verified request” is where “an operator can reasonably verify the authenticity of the request and the identity of the consumer using commercially reasonable means.” • An “operator” includes any entity that: –Owns or operates an Internet website or online service for commercial purposes –Collects and maintains covered information from consumers who reside in Nevada and use or visit the Internet website or online service –Purposefully directs its activities toward Nevada • “Covered information” remains the same as it was in the 2017 online privacy law: –A first and last name –A home or other physical address which includes the name of a street and the name of a city or town

–An email address –A telephone number –A Social Security number –An identifier that allows a specific person to be contacted either physically or online –Any other information concerning a person collected through a website • “Sale” is clarified to be “the exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons.” Taking actionable steps toward compliance is now the name of the game, as most businesses thought they had until the end of the year to get ready for CCPA, and really, six months beyond that until it gets enforced. However, the Nevada requirement landing on October 1, 2019, means many of these businesses will have to scramble and take immediate steps to reach compliance. The clear first step for businesses operating in Nevada is to create a “designated request address” in order to receive opt-out requests. Then developing a clear system to receive and verify these requests. The requests can then be processed and tracked, provided policies and procedures are in place to make sure the appropriate documentation is being created and housed. This includes training staff on how to handle the requests. Whether or not you are prepared, businesses need to accept that operating in Nevada means new privacy benchmarks to be aware of. And surely many more states will follow Nevada, as New York has attempted, and others are considering. INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | PUBLIC SECTOR

A Sit-Down with NAGARA Leader Johnny Hadlock

ohnny Hadlock has worked in the non-profit, for-profit and public sector for over 15 years. He earned his Bachelors of Art degree in Political Science from Brigham Young University in 2010, and went on to earn his Master of Public Administration degree from George Mason University in 2014. Johnny began his career working in client training, technical support, and customer service for a Fortune 500 company before transitioning to the U.S. House of Representatives working as a Legislative Aide and Manager of Media Relations for a Member of Congress. After working nearly three years on Capitol Hill, Johnny served as a North Carolina Deputy State Manager during the 2012 presidential election. There, Johnny worked on campaign data and analytics, managed various election projects, and served as a state-wide surrogate for the campaign. Johnny’s political communication and management work provided him with invaluable contacts and experience working with difficult and demanding personalities in high-stakes, high-pressure environments. Prior to becoming the executive director for the

INFOGOVWORLD.COM

National Association of Government Archives & Records Administrators (NAGARA), Johnny worked for a large, Washington, DC-based trade association with over 11,000 members where he focused on improving the organization’s overall customer service program, creating an innovative budget tracking system, and increasing membership retention and acquisition rates, while also representing the association at numerous trade shows and conferences, and proposing and implementing new association innovations. In his leadership role at NAGARA, Johnny oversees the non-profit’s overarching business strategy, manages the development of new educational opportunities and member initiatives/benefits, executes the association’s events and relationships with external partners, and implements various strategies for membership growth and retention. IGW: Where did you grow up, and go to school? I grew up in Spanish Fork, Utah, a tiny farm town about an hour south of Salt Lake City. I was a proud “Mighty Don” (our high school mascot), and following graduation and a two-year church service mission, I went to college

and obtained my undergraduate education from Brigham Young University. What activities did you enjoy most as a child? I actually grew up playing little league baseball. But as a left-handed batter, I kept getting pegged by right-handed pitchers who didn’t know how to throw to a lefty. I hated getting hit by pitches every other game, and eventually quit the sport. I was young and the fear of stepping into the batter’s box just outweighed the other joys of the sport. I remember the summer I quit playing baseball (for the second time actually) my dad said to me, “We’re gonna put you into something less dangerous: musical theater.” And from that point on, I became quite a little stage performer and “star” in my hometown theater scene, performing in dozens of musicals and plays and eventually aspiring to one day perform on Broadway. (This never happened, and the dream has died, but I still love musical theater and organize groups of friends to go see shows at various venues.)

What stirred your interest in politics early on? It was really a combination of things, actually. My dad was very interested in politics and I listened regularly to talk radio with him—one of the many ways we bonded (and also one of the ways I learned about various “adult” topics during the Clinton

Presidency, hint hint). Also, my childhood best friend’s father served on city council in my hometown and I remember going door to door hanging political flyers for his campaign as a kid. It was fun. I felt like I was making a big difference— as small as it may have actually been. I was also raised with a deep love and appreciation for America and our freedoms. My mother was born and raised in Belgium, and my grandpa was a Socialist (which she explained to me was the lesser of two evil party choices he was offered). There was a lot of talk growing up about freedom and how lucky I was to be born and raised in America, etc.

I also recall many of my earliest memories surrounded political events: The Gulf War, watching some of the Clinton/Bush/Perot debates (I was only 8 years old and didn’t know exactly what was going on), and I also vividly remember Barbara Bush (with her Republican red dress and big white hair) holding hands and waiving with George H.W. So from a very young age, I had lots of politicallyinfluenced experiences and memories that shaped who I was to become. What big thing did you learn about working in politics? Oh gosh… the biggest thing I learned about politics is that it wasn’t

actually the right fit for me in the end. Although there are certainly lots of genuinely good people who desire to do the right thing, it’s a dirty sport. Once I got inside the belly of the beast, I became convinced I couldn’t be happy in life with a political career. What did it for me was the realization that I held certain core values and beliefs, and I couldn’t bring myself to accept the idea that I’d probably have to end up sacrificing so much of those to either get ahead or support something (or someone) in which I didn’t truly like or believe. What motivated you to go back to school to get your Masters in Public Administration? It was really just the next progressive step to take in my life. I was working on Capitol Hill when I decided to go

back and get my masters. A couple of my friends were going back to law school (which I personally didn’t want to do), and after two years of spinning my wheels in a Congressional Office, I was getting anxious about my next steps. By that point in my life I absolutely knew I didn’t want to stay in politics forever, and Hill life and culture was becoming excruciatingly redundant and unexciting to me. So my decision to go back to school was motivated by a combination of my disappointment with the true nature INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | PUBLIC SECTOR of politics and my friends’ personal educational ambitions. That’s the honest answer, though maybe not too inspiring. I suppose the greatest takeaway here is this: surround yourself with good people who motivate and inspire you. You are, after all, the company you keep. As Executive Director at NAGARA, what initiatives have you undertaken and what have been the results? Here’s the not-so-secret secret about membership organizations in general: most people don’t join them to be charitable or altruistic; most people

join them to get something back from them. So among the many questions I asked myself when I first stepped into my role at NAGARA was this: what “carrots” or “incentives” are we offering our members? The answer, before I arrived, was not many. But I saw such amazing, untapped potential in the organization and I convinced the Board to allow me to implement some new ideas that I believed would transform the organization. Among them was executing a quality monthly webinar series, developing an online Resource Library, and hosting Regional Forums (mini one-day conferences to complement our Annual Conference). Each of these ideas aimed to bring 22

INFOGOVWORLD.COM

NAGARA closer to the homes of our members and add value to the membership proposition. And boy did it work! There were fewer than 200 members when I began working for NAGARA in 2016, and today, we’re nearing 1,200 members. I attribute this exponential growth to the successful implementation of these initial programs. Now, NAGARA is in an incredible place with the resources necessary to refine and expand our program and service offerings. The organization has entered a new phase. We just wrapped up hosting our largest Annual Conference in history, our volunteer and membership base has exploded, we’ll be rolling out new programs and member benefits this Fall, and the educational programming is getting better and better by the month! Stay tuned – this is an organization you want to keep your eye on!

What has surprised you the most about working with the NAGARA organization? Simply put: NAGARA is a fantastic organization full of amazing and talented people! I sheepishly admit that when I first began working for NAGARA, I expected the members and leaders to be similar to the stereotypical “boring” archivist or librarian you see in the movies. Quiet. Reserved. Slow. Conservative. But after my very first meeting, I

was astonished at how naïve and wrong I was (and I’m not shy about admitting my mistakes). The people of NAGARA blew me away! This is an organization full of energetic, gregarious, dedicated, smart, patriotic, selfless people. This is an organization of leaders. To the outsider, NAGARA may seem like an esoteric organization. But the work and responsibilities of the professionals who make up our membership is vital and significant. I’ve never been more satisfied in my professional life than I am serving here at NAGARA. What advice would you give to association management professionals just starting out? Simple advice: get your feet really wet! Learn as much as you can. Volunteer to lead and manage various

projects. Accept every assignment. Learn everything you can about the different software systems used by your clients. Be hungry to learn. Association management professionals need to be well-versed and knowledgeable in many things, so don’t ever get comfortable where you are. Keep diving deep and learning everything you can. A second piece of advice is this: be a proactive thinker. When a problem or question arises, don’t just ask others for their help to solve the problem or answer the question, think about possible solutions or answers yourself. I’ve been most surprised in my career by the number of passive thinkers I’ve encountered—maybe it’s a cultural thing? When somebody approaches

“

...I play competitive adult kickball as a hobby. In addition to my league play here in Washington, DC (team name: Resting Pitch Face) I also travel twice a year to national tournaments.” me with a problem or question, I usually ask them: Have you already thought about some possible solutions/ answers? What are they? If you want to get ahead in life (personally or professionally) learn to master the art of proactive thinking. What hobbies or special skill do you have that might surprise your colleagues? Well there’s not much I hide from my colleagues. I’m a pretty transparent person and talk openly and regularly about my life. So although not much would probably surprise them, I think the members of NAGARA might be surprised to learn that I play competitive adult kickball as a hobby. In addition to my league play here in

Washington, DC (team name: Resting Pitch Face) I also travel twice a year to national tournaments. I play first base on my team and we’re pretty darn good (read: this is my not-so-humble way of saying we usually win). It’s been a great competitive outlet for me, I’m not afraid to step into the batter’s box anymore, and I’ve made some amazing friends across the country. What is your favorite restaurant in D.C., why do you like it, and what do you like most on their menu? This is really a tough one. I’m a big foodie and love going out and trying new places. I actually put myself through grad school by serving tables at Founding Farmers, so that might seem like the obvious answer. But while

Founding Farmers is surely amazing delicious, it gets enough press… so I’m going to say my favorite restaurant in DC is Doi Moi—a Southeast Asianinspired restaurant on 14th street. Instead of ordering an entrée, I prefer to make my own meal by ordering a few small dishes: the Marinated Beef Jerky, Sauteed Okra, and Banana Blossom Salad. I usually order a side of sticky rice to help temper the spice and heat in between bites. For dessert, I get their Mango Sticky Rice, which is different and special: they infuse the dish with a butterfly pea flower that adds a lovely flavor and cool blue color to it. Try it—you’ll be glad you did! Johnny may be reached at jhadlock@sso.org INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE

BEST PRACTICES CHAPTER #1

The Information Governance Imperative

nformation governance (IG) programs improve operational efficiency and compliance capabilities while leveraging information as an asset to maximize its value. Active IG programs are the hallmark of well-managed organizations, and increasingly IG has become an imperative, especially for global enterprises. A “perfect storm” of compliance pressures, cybersecurity concerns, Big Data volumes, and the increasing recognition that information itself has value have contributed to a significant increase in the number of organizations implementing IG programs. Most significantly, the European Union (EU) General Data Protection Regulation (GDPR), which went into effect May 25, 2018, left companies across the globe scrambling to gain control over the consumer data they had housed. The GDPR legislation applies to all citizens in the EU and the European Economic Area (EEA), regardless of where they reside, and also visitors and temporary residents of the EU. So any global enterprise doing business with EU/EEA citizens—or even visitors— must comply with the legislation, or face a major fine. The primary goal of GDPR is to give citizens control over their personal data.

INFOGOVWORLD.COM

Brought about in part because of GDPR compliance concerns, membership in the International Association of Privacy Professionals (IAPP) grew from around 25,000 members in 2017 to over 40,000 members in 2018, and it continues to grow. Further, the 2016 U.S. presidential election hacking and theft of proprietary election research by Russian spies has arguably brought many more into the privacy conversation as concerns about cybersecurity intensifies. A first step in the GDPR compliance process is to conduct an inventory of an enterprise’s information assets to create a data map showing where all incidences of data are housed. This is commonly the first major implementation step in IG programs, so the IG discipline and support for IG programs made substantial strides in 2018 and the lead up to GDPR going into effect. Then California passed its California Consumer Privacy Act (CCPA), which borrowed many concepts from GDPR and required that any company (of a certain size) handling the personally identifiable information (PII) of California residents (in

specified volumes) comply by January 1, 2020. Suddenly, U.S.based companies could no longer ignore privacy regulations, and the momentum for IG programs that could manage privacy compliance requirements accelerated. During this same time frame, data breaches and ransomware attacks became more prevalent and damaging, and organizations adopted IG programs to reduce the likelihood of cyberattacks, and their impact. IG programs implement effective risk reduction countermeasures. Added to that has been the continued massive increase on overall data volumes that organizations must manage, which results in managing a lot of unknown “dark data,” which lacks metadata and has not been classified, and also redundant, outdated, and trivial (ROT) information that needs to be identified

Preview of Information Governance: Concepts, Strategies, and Best Practices (Wiley, 2019), by Robert F. Smallwood and disposed of. Cleaning up the ROT that organizations manage reduces their overall storage footprint and costs, and makes information easier to find, leading to improved productivity for knowledge workers. IG programs are also about optimizing and finding new value in information. The concept of managing and monetizing information is core to the emerging field of infonomics, which is the discipline that assigns “economic significance” to information and provides a framework to manage, measure, and monetize information. Doug Laney, then at Gartner, published a groundbreaking book in 2018, Infonomics, which delineates infonomics principles in great detail, providing many examples of ways organizations have harvested new value by finding ways to monetize information.

not due to poor training, inferior equipment, inferior medicines, or lack of financial resources. No, the problem is likely primarily a failure to get the right information to the right people at the right time; that is, caregivers must have accurate, current clinical information to do their jobs properly. These are IG issues. Since 2002 each UK healthcare organization has been tasked with completing the IG Toolkit, managed by NHS Digital for the UK Department of Health. Although the IG Toolkit has evolved over the years, its core has remained constant. However, in April 2018 it was replaced with a new tool, the Data Security and Protection Toolkit, based around National Data Security Standards that have been formulated by the UK ’s National Data Guardian.

e-mail, scanned documents, PDFs, MS Office documents) is so massive that it cannot be processed using traditional database tools (e.g., DB2, SQL) and analytic software techniques. In today’ s information overload era of Big Data—characterized by massive growth in business data volumes and velocity—the ability to distill key insights from enormous amounts of data is a major business differentiator and source of sustainable competitive advantage. In fact, a report by the World Economic Forum stated that data is a new asset class and personal data is “the new oil.” And we are generating more than we can manage effectively with current methods and tools. The Big Data numbers are overwhelming: Estimates and projections vary, but it has been

EARLY DEVELOPMENT OF IG IG has its roots in the United Kingdom’s health-care system. Across the pond, the government-funded National Health Service (NHS) has focused on IG to ensure data quality and protect patient data since 2002. Although IG was mentioned in journals and scholarly articles decades ago, the UK is arguably the home of healthcare IG, and perhaps the IG discipline. Could this be the reason the UK leads the world in healthcare quality? Certainly, it must be a major contributing factor. The United States has the most expensive healthcare in the world, the most sophisticated equipment, the most advanced medicines, the best-trained doctors—yet in a recent study of healthcare quality, the United States came in dead last out of 11 civilized nations. The UK, Switzerland, and Sweden topped the list. The U.S. health-care problem is

IG programs are also about optimizing and finding new value in information.”

“

BIG DATA IMPACT According to the research group Gartner, Inc., Big Data is defined as “. . . high-volume, high-velocity and high-variety information assets that demand cost-effective, innovative forms of information processing for enhanced insight and decision making.” A practical definition should also include the idea that the amount of information—both structured data (in databases) and unstructured information (e.g.,

stated that 90 percent of the data existing worldwide today was created in the past two years, and that every two days more information is generated than was from the dawn of civilization until 2003. This trend will continue. Certainly, there are new and emerging opportunities arising from the accumulation and analysis of all that data we are busy generating and collecting. New enterprises are springing up to capitalize on INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | BEST PRACTICES data mining and business analytics opportunities. Back in 2012, the U.S. federal government joined in, announcing $200 million in Big Data research programs. However, established organizations, especially larger ones, are being crushed by this onslaught of Big Data: It is just too expensive to keep all the information that is being generated, and unneeded and ROT information becomes a sort of irrelevant sludge of data debris for decision makers to wade through. They have difficulty knowing which information is accurate and meaningful “signal,” and which is simply irrelevant “noise.” This means they do not have the precise information on which they can use to base good business decisions. And it has real costs: The burden of massive stores of information has increased storage costs dramatically, caused overloaded systems to fail, and increased legal discovery costs. Furthermore, the longer that data is kept the more likely that it will need to be migrated to newer computing platforms, driving up conversion costs; and legally, there is the risk that somewhere in that mountain of data an organization keeps is a piece of information that represents a significant legal liability.

Robert Smallwood

INFOGOVWORLD.COM

“

The burden of massive stores of information has increased storage costs dramatically, caused overloaded systems to fail, and increased legal discovery costs.” This is where the worlds of Big Data and business collide. For Big Data proponents, more data is always better, and there is no perceived downside to the accumulation of massive amounts of data. In the business world, though, the realities of legal e-discovery mean the opposite is true. To reduce risk, liability, and costs, it is critical for unneeded or useless information to be disposed of in a systematic, methodical, and “legally defensible” (justifiable in legal proceedings) way, when it no longer has legal, regulatory, or business value. Organizations are struggling to reduce and right-size their information footprint by discarding superfluous and redundant data, e-documents, and information. But the critical issue is devising policies, methods, and processes, and then deploying information technology (IT) to sort through the information and determine what is valuable and what no longer has value and can be discarded. IT, compliance, and legal representatives in organizations have a clear sense that most of the information stored is unneeded, raises costs, and poses risks. According to a survey by the Compliance, Governance and Oversight Council (CGOC), respondents estimated that approximately one-quarter of information stored in organizations

has real business value, while 5 percent must be kept as business records, and about 1 percent is retained due to a litigation hold. This means that [about] 69 percent of information in most companies has no business, legal or regulatory value. “Companies that are able to dispose of this debris return more profit to shareholders, can use more of their IT budgets for strategic investments, and can avoid excess expense in legal and regulatory response.” With a smaller information footprint, organizations can more easily find what they need and derive business value from it. They must eliminate the data debris regularly and consistently, and to do this, processes and systems must be in place to cull out valuable information, and discard the data debris. An IG program sets the framework to accomplish this. The business environment has also underscored the need for IG. According to Ted Friedman at Gartner, “The recent global financial crisis has put information governance in the spotlight .... [it] is a priority of IT and business leaders as a result of various pressures, including regulatory compliance mandates and the urgent need for improved decision-making.” And IG mastery is critical for executives: Many CIOs in regulated industries have been fired from their jobs for failed IG initiatives.

25 Exciting things to do with an Information Asset Register BY REYNOLD LEMING

any organisations have undertaken information audits to gain an insight to this highly valuable corporate asset. This is particularly the case for those who will be governed by the EU General Data Protection Regulation, and associated local data protection law, where there are increased obligations to maintain documentary evidence of processing activities. However, there are, of course, many drivers for understanding the information assets maintained and used within an organisation, their characteristics, their value and the risks associated with them. Whether in a spreadsheet form or (ideally) a database, an Information Asset Register (IAR) is used to record the inventory. This article explores (in no particular order of importance) 25 potentially beneficial outcomes from populating, maintaining and interrogating an IAR.

UNDERSTANDING ASSET RELATIONSHIPS: A related series of records sharing the same purpose (an “asset collection” if you will) might have a variety of constituent entities (“assets”) in different formats - e.g. physical records, digital content, system data. Identifying these within an IAR, with a suitable narrative recorded, will enable an understanding of their relationships and purpose over time. This could include, for example, recording the “story” of how paper originals and resulting images have been handled within a document scanning process, or the retirement

and introduction of systems to store particular data sets. Allied to this is tagging assets to a business classification scheme of the functions and activities of your organisation. This allows the assets to be categorised to a vocabulary of business activity that is neutral to and more stable than organisational structures (which can change more often than what an organisation actually does), provides a collated corporate view of assets maintained based upon their purpose (for example many departments will hold invoice, staff, policy and contract records) and identifies assets related to cross-cutting processes involving different teams. It also allows the consistent inheritance and application of business rules, such as retention policies.

SECURITY CLASSIFICATION: Assets can be classified within the IAR to an approved security classification / protective marking scheme, with current protective measures recorded, in order to identify if there are in any risks relating to the handling of confidential personal or commercially sensitive information. You can assess that assets are handled, stored, transferred and disposed of in an appropriate manner.

PERSONAL DATA: Specifically, you can identify confidential personal information to ensure that data protection and privacy obligations are met. For example, the GDPR contains many obligations that require a thorough understanding of what personal data you process and

how and why you do so. Many requirements for keeping records as a data controller for GDPR Article 30 can be supported by the information asset inventory. For example, the asset attributes can describe the purposes of the processing, the categories of data subjects and personal data, categories of recipients, relevant transfers, envisaged time limits for erasure of the different categories of data and a general description of the technical and organisational security measures. It will also help data processors keep a record of the categories of processing, transfers of personal data to a third country or an international organisation and a general description of the technical and organisational security measures. Much of the information about personal data required for Article 30 compliance is also useful to meet obligations under Article 13 and Article 14 on information to be provided, for example via privacy notices or consent forms. Under Chapter 3 of the GDPR, data subjects have a number of rights. Understanding things like the location, format, use of and lawful basis of processing for different categories of personal data will provide insights to support responses to rights and requests. Under Article 25 of the GDPR there are requirements for Data INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE | BEST PRACTICES Protection by design and by default. Additionally, under Article 35 there are requirements relating to Data Protection impact assessments. The inventory can provide insight to which processes and systems need to be assessed based upon, for example, the nature, scope, context and purposes

with identifying the data sets where, if anything unfortunate were to happen, there are considerations regarding Article 33 Notification of a personal data breach to the supervisory authority and Article 34 Communication of a personal data breach to the data subject.

OWNERSHIP: An IAR delivers the ability to know: Who owns what? This includes understanding ownership both in terms of corporate accountability and ownership of the actual information itself. You could also record who administers an asset on a day-to-day basis if this is different.

of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing. As aforementioned, it is important to identify who personal data is shared with. The inventory can support this as well as specifically enable monitoring of the existence or status of suitable agreements. For example, under Article 28 of the GDPR, processing by a processor shall be governed by a contract or other legal act under Union or Member State law. Article 32 of the GDPR covers security of processing, with requirements to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Using the inventory, you can assess the security measures in place for assets against their level of confidentiality. It also can help 28

INFOGOVWORLD.COM

BUSINESS CONTINUITY: An organisation will have vital / business critical records that are necessary for it to continue to operate in the event of a disaster. They include those records which are required to recreate the organisation’s legal and financial status, to preserve its rights, and to ensure that it can continue to fulfil its obligations to its stakeholders. Assets can be classified within the IAR to an approved criticality classification scheme, with current protective measures recorded, in order to assess whether they are stored and protected in a suitable manner and identify if there are in any risks relating to business critical (“vital record”) information. You can also identify the Recovery Point Objective (RPO) and Recovery Time Objective (RTO) for assets to support a disaster recovery or data protection plan.

ORIGINALITY: You can identify whether an asset is original or a copy, ascertaining its relative importance and supporting decisions on removing duplication and the optimisation of business processes.

HERITAGE: You can identify records of enduring historical importance that can be transferred at some stage to the custody of a corporate or third-party archive.

FORMATS: An IAR delivers the ability to understand the formats used for information, supporting decisions on digital preservation or migration.

SPACE PLANNING: In order to support office moves and changes, data can be gathered for physical assets relating to their volume, footprint, rate of accumulation, use, filing methods etc.

10.

SUBJECT MATTER: If assets are tagged to a business classification scheme of functions and activities, as well potentially to a keyword list, the organisation can understand the “spread” of record types (e.g. who holds personnel, financial, contractual records) and/or “discover” resources for knowledge management or eDiscovery purposes.

11.

ARCHIVE MANAGEMENT: You can use an IAR to understand what physical records (paper, samples, backup tapes etc.) are archived, where and when; this might, for example, identify risks in specific locations or issues with the regularity of archiving processes. The organisation can also understand its utilisation of third-party archive storage vendors - potentially supporting decisions on contract management / consolidation - and maintain their own future-proof inventory of archive holdings. Archive transactions can be recorded if there is no system to otherwise do so.

12.

LOCATION: The “location” of an asset can, of course, be virtual or physical. This (together with other questions relating to for example security measures) is important to ensure that information assets are suitably protected. It also helps in the planning of IT systems and physical filing / archiving services. The benefits for archive management are explored above and for maintaining a system catalogue below. Other examples might be to identify physical records to gather when doing an office sweep following vacation of a floor or building, or what assets are held in the cloud, or asset types within a given jurisdiction. It would also be a further method to support the “discovery” of resources for knowledge management or eDiscovery purposes.

13.

RETENTION: An IAR can be used both to link assets with approved records retention policies and understand the policies and methods currently applied within the organisation, therefore identifying queries, risks and issues. The IAR can also be used to maintain the actual policies (across jurisdictions if applicable) and their citations; if a law changes or is enacted, relevant assets can be identified for any process changes to be made. You can track retention policy revisions and the approvals for doing so.

14.

DISPOSAL: An IAR can be used both to link assets with approved destruction or transfer policies and understand the processes and methods currently applied within the organisation, therefore identifying queries, risks and issues, particularly for confidential information. Notifications of disposition reviews can be generated based upon review cycles associated with policies. Disposal events / transactions, such as destruction or transfer to historic archive, can be recorded against assets if there is no system to otherwise do so.

15.

SOURCE: The source of assets can be identified to understand where information is derived from and better manage the information supply chain. Under article 14 of the GDPR, part of the information the controller shall provide to the data subject to ensure fair and transparent processing includes from which source the personal data originates, and if applicable, whether it came from publicly accessible sources.

16.

RIGHTS: The rights held in and over assets can be identified, such as copyright and intellectual property, in order to protect IPR and to avoid infringement of the rights of others.

17.

APPLICATIONS CATALOGUE: The application systems in use (e.g. content management, front and back office) can be identified and linked to locations, people, activities And, of course, assets. Licensing and upgrade criteria could also be managed. It would also be possible for example to identify system duplication or the use of homegrown (as opposed to purchased) databases.

18.

CONDITION: Both physical and digital assets can degrade: this can be identified for assets, with conservation / preservation actions taken accordingly.

19.

AGE: The age of assets can be established, with decisions made on their further retention / disposal, the need for archiving (historic or business) and potentially whether they need to be superseded with newer resources.

20.

RECORD ORGANISATION AND REFERENCING: An understanding can be gained of whether structured systems, schemes and approaches are in place to describe, reference

and organise physical and electronic assets, identifying if there are likely to be any issues with the finding information.

21.

UTILISATION: An understanding can be gained of whether assets are proposed, active, inactive, discontinued / superseded, therefore enabling decisions on their format, storage, disposal etc.

22.

SHARING: An IAR can be used to identify how information is shared within and without the organisation, helping ensure that it is available as required, and that suitable security measures and, where applicable, information sharing agreements are in place. This supports compliance with Article 30 of the GDPR as part of the records of processing activities.

23.

PROVENANCE: Fundamentally an IAR can provide an accountable audit trail of asset existence and activity, including any changes in ownership and custody of the resource since its creation that are significant for its authenticity, integrity and interpretation.

24.

PUBLICATIONS: Information produced for wider publication to an internal or external resource can be identified, including, for example, the audience for whom the resource is intended or useful, the channels used for distribution and the language(s) of the content, thus facilitating editorial, production and dissemination planning and management.

25.

QUALITY: Observations can be recorded on the quality of assets (e.g. accuracy, completeness, reliability, relevance, consistency across data sources, accessibility), with risks and issues identified and managed. INFORMATION GOVERNANCE WORLD

INFORMATION PRIVACY IS CCPA JUST A “MINI GDPR”? BY MARK DRISKILL

ur digital-based identities reveal what we do in the cyber world. They are like footprints left in the sand. Starting in January 2020, the protection of cyber-footprints in the USA will get a significant boost. This is when the much-anticipated California Consumer Privacy Act (CCPA) will take effect (although enforcement begins six months later). This major legislation comes on top of the May 2018 adoption of the sweeping set of digital privacy laws adopted by the European Union (EU): the General Data Protection Regulation (GDPR). Many may wonder what the two sets of laws have in common. And some have dubbed CCPA a “mini GDPR.” 1 This is a misleading nickname because they approach Personally Identifiable Information (PII) in different ways. In fact, the GDPR uses a broader definition of PII that is referred to as personal data (PD). Perhaps the most pressing question is how well CCPA and GDPR work together to create a better digital privacy environment. Although both share the goal of protecting consumers as they move about online using their digital identities, the scope and spirit of each are distinct enough to warrant an in-depth examination of the differences in how each approach PII. This will answer a key question: Are CCPA and GDPR interchangeable or complimentary? A key difference is scope. The CCPA is a state-wide Act meant to serve California businesses as they conduct certain activities in the digital realm and primarily for the collection of PII. The Act singles out business activities under specific conditions. For example, the business must do business in California and meet one of three criteria: (1) $25 million in annual revenue; (2) Must “buy, sell, share and/or receive the personal information of at least 50,000 California consumers, households or devices, per year;” 2 (3) The business must also obtain at least 50 percent of their annual revenue from selling California consumers’ digital footprints. This is a recognition that these California businesses will collect some information; but

must be accountable to ownership regulations under the “collection” scope. 3 GDPR is a set of regulations that govern how everyone must handle the digital footprints and identities attached to EU citizens. This is seen as a human right. As outlined by Article 17 of the International Covenant on Civil and Political Rights (ICCPR): (1) “No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honor and reputation; (2) “Everyone has the right to the protection of the law against such interference or attacks.”4 The GDPR protects through a regulatory framework the activities of all EU residents wherever they are. The mere recognition that California companies can and do legally collect some digital information points to a reluctance to define things like “arbitrary interference.” In recognition of this, the CCPA defines personal information in very specific and detailed terms. 5 For example, CA. CIV 1798.140 lists “aggregate consumer information” and “biometric information” separate and apart from “business.” The same section contains a detailed definition of PII that does not conflict with the GDPR’s definition. 6 Because CCPA protects businesses from a litigation and liability perspective, it must be more specific about what actions businesses take that could violate someone’s digital privacy. In contrast, GDPR is citizen focused, meaning businesses must not violate a citizen’s privacy, and they face scrutiny on the human rights/international level if they do. GDPR also guarantees EU citizens’ the right to have a human make legal decisions rather than be liable to automation. This constitutes a right to stop automated decision-making that is not present in CCPA. In sum, GDPR regulates the processing of PII and PD while CCPA regulates collection of PI. Both regulations are sorely needed to address the unrestrained collection and sale of citizens’ PII and PD. And there will be more regulations to come, from states and likely on a federal level, as the days of the Wild West of data collection abuse are slowly drawing to a close.

REFERENCE: [1] https://www.itspmagazine.com/itsp-chronicles/the-california-consumer-privacy-act-a-mini-gdpr; https://www.lexology.com/library/ detail.aspx?g=60487525-76ea-44e3-97a8-3b9b02987c2e [2] https://californiaemploymentlaw.foxrothschild.com/2019/05/articles/labor-law-2/whoexactly-is-subject-to-the-ccpa/ [3] https://www.pwc.com/us/en/services/consulting/cybersecurity/california-consumer-privacy-act.html [4] https:// treaties.un.org/doc/publication/unts/volume%20999/volume-999-i-14668-english.pdf [5] https://leginfo.legislature.ca.gov/faces/codes_displaySection. xhtml?lawCode=CIV&sectionNum=1798.140. [6] see Section 1798.140 (o)(1)

INFOGOVWORLD.COM

News

BIG TECH ON NOTICE WITH GDPR With passage of the EU General Data Protection Regulation (GDPR), companies like Facebook and Google must address how they inform users about their “Terms of Service” and changes to them. Hence, on April 9, 2019, the European Commission ordered Facebook to change “its terms of service to explain clearly how the company makes money by selling user data.” 1 The new terms of service must state what data Facebook sells to third parties, including data brokers or ad exchanges, how it will respond to misuse of data by third parties, and under what conditions it can unilaterally change its terms.” One change is a greater reliance on formal privacy notices. Companies that collect data about its users must include specific information in these privacy notices that alert users how and why they are collecting the data. 2 “The main challenge for Data Protection Officers (DPOs) is to ensure terms and conditions and privacy notices do not become mixed up.” 3 With GDPR, the privacy notice is elevated to statutory status, gaining as much importance as a terms of service or condition, the latter of which can be convoluted and hard to understand. Maintaining a separation between “privacy notices” and “terms and conditions” is a primary challenge for those businesses that must adhere to the new GDPR. These laws help users understand their privacy rights as they consent to legalistic and often obscure terms of service agreements. Although public awareness brought about by the data collection actions of companies like Facebook and Google has illuminated the complexities regarding the use of Personal Data (PD), “terms of service” should retain qualities of a legal document. A privacy notice, however, should be short and concise, much like a mission and vision statement. This was not the case with Google. The German Federal Competition Office ordered Google to take out 25 clauses in its privacy policy and terms of service agreements, an indication that the EU is pushing back against the monetization of PD. German officials also discovered much of the policy had been written in 2012 but was still in used today. REFERENCE: [1] Jennifer Baker, Terms, Conditions and Considerations Under the GDPR, CPO Magazine, August 27, 2019, https://www.cpomagazine.com/data-protection/ terms-conditions-and-considerations-under-the-gdpr/?mc_ cid=3b927a6a53&mc_eid=c8c61a9c72 [2] https://gdpr.eu/privacy-notice/ [3] Jennifer Baker

INFORMATION GOVERNANCE WORLD

INFORMATION PRIVACY

CEOS FROM BIG TECH ASK CONGRESS TO PASS FEDERAL DATA PRIVACY LAW

he CEOs of over 50 companies from the Business Roundtable, including Amazon, IBM and Salesforce, signed a letter to U.S. congressional leaders in September urging them to create “a comprehensive consumer data privacy law.” Notably missing from the signatories to the letter was Read the full letter: Tim Cook, Apple’s CEO, who has been a vocal supporter of data privacy measures. Cook advocated for “a comprehensive federal privacy law” in the U.S. during a speech at a privacy conference in Brussels last year. Perhaps Cook is holding out for stronger legislation, as it is no secret that big tech wants a watered-down federal Dear Leader McConnell, privacy law so they can continue their Speaker Pelosi, Leade r Schumer, surveillance and collection of personal Leader McCarthy, data relatively unrestrained. Chairman Wicker, Chairman Pallone, The executives stated jointly that a Ranking Member Cantwell and Ranking Member Walden: federal law is necessary to ensure “strong, consistent protections for American We write to urge you to pass, as soon as possible, a comprehens consumers” and allow “American ive consumer data privacy law strengthens protections for consu that mers and establishes a national privacy framework to enable contin ued innov ation and companies to continue to lead a globally growth in the digital economy. There is now widespread agree competitive market.” The letter was ment among companies across all sectors of the economy, policy and consumer groups about the makers need for a comprehensive federa addressed to leaders of the House l consumer data privacy law that provides strong, consistent protec tions for American consumers. A federal consumer privacy law should also ensure that American Energy and Commerce committees companies continue to lead a global ly competitive market. As Chief Executive Officers of leadin g companies across industries, our companies reach virtually every American consumer and and the Senate Commerce, Science and rely on data and digital platforms every day to deliver and impro our products and services. Consu ve mer trust and confidence are essen Transportation committees, in addition tial to our businesses. We are committed to protecting consu mer privacy and want consumers to have confidence that companies treat their personal information respo nsibly to House and Senate leaders. . We are also united in our belief The letter comes as lawmakers that consumers should have mean ingful rights over their personal information and that companies that access this information shoul d be held consistently accountable have been more closely scrutinizing under a comprehensive federa l consumer data privacy law. Big Tech over its data practices. The Consumers have grown accustomed to a breadth of resources and servic es made available over the internet across state borders and Federal Trade Commission recently even globally. Consumers shoul d not and cannot be expected to understand rules that may chang e depending upon the state in which they reside, the state in which they issued two major fines to Google are accessing the internet, and the state in which the company’s operation is providing those resources or services. Now is the time for Congr ess to and Facebook over their handling act and ensure that consumers with confusion about their rights are not faced and protections based on a patch work of inconsistent state laws. Further, as the regulatory lands of user data. And in September, 50 cape becomes increasingly fragm ented and more complex, U.S. innovation and global competitiven ess in the digital economy are threatened. attorneys general from U.S. states and We urgently need a comprehens ive federal consumer data privac territories announced an investigation y law to strengthen consumer and establish a stable policy enviro trust nment in which new services and technologies can flourish within a well-understood legal and regula tory framework. Innovation thrive into Google’s advertising business, s under clearly defined and consistently applied rules. which heavily relies on data. With Business Roundtable has releas ed a Framework for Consumer Privacy Legislation (attached this new message, tech leaders are letter), which provides a detail to this ed roadmap of issues that a federa l consumer privacy law should address. As the Framework descr ibes, a compr offering their “help” in forming ehensive federal consumer data create robust protections for consu privacy law should mers by requiring businesses to take responsibility for the collection, use and sharing of perso legislation that could regulate their nal information. own industry. The United States has been a global leader in technology and data-driven innovation and the opportunity to lead on consu now has mer data privacy for the benefi t of all consumers, companies commerce. We stand ready to work and with you.

INFOGOVWORLD.COM

News

ISO RELEASES NEW PRIVACY COMPLIANCE STANDARD

GOOGLE REJECTS PROPOSED W3C DATA PRIVACY STANDARD

In early August, a new international standard was released to help organizations protect and control the personal information they manage. ISO and the International Electrotechnical Commission (IEC) released ISO/IEC 27701, a privacy extension to ISO/IEC 27001 and ISO/IEC 27002. This new ISO standard might become the de facto standard for organizations needing to protect personal data (PD) and personally identifiable information (PII). Compliance with the new standard may also be used to demonstrate compliance with privacy regulations around the globe, including GDPR and possibly California’s Consumer Privacy Act (CCPA).

Google is pushing back on privacy standards and legislation, in an effort to preserve its lucrative but invasive ad placement business. Google just vetoed a data privacy standard proposed by one of the standards bodies of the World Wide Web Consortium (W3C). W3C is an international community whose primary purpose is to develop standards that will guide the World Wide Web to its full potential. It is led by one of the inventors of the web, Tim Berners-Lee, and CEO Jeffrey Jaffe. The web consortium has over 450 members including Google, Microsoft, Netflix, Apple, Amazon, Alibaba and Airbnb. According to Bloomberg News, Google blocked the data privacy standard proposed by the Privacy Interest Group (PING) of the W3C. New policies are discussed and refined within these standards bodies before they are sent to W3C members for approval. Since W3C makes its decision by consensus, an objection from a member organization is considered an effective veto to a proposed policy. And, that’s just what Google did—preventing PING from passing a data privacy standard that would have limited Google’s access to user data. However, W3C and Google are currently negotiating an alternative. But, if both parties fail to reach an agreement, the decision will be up to Berners-Lee.

What is in the new privacy • Businesses may want to require third party standard? suppliers that handle sensitive personal ISO/IEC 27701 provides detailed information to certify on ISO/TEC 27701 requirements and guidance for developing, implementing, • Third party vendors handling personal maintaining, and continually information may want to start to build on improving a Privacy Information ISO/IEC 27001 compliance to move toward Management System (PIMS) built ISO/IEC 27701 certification. on top of a foundational Information Security Management System (ISMS). The PIMS must take into account the privacy protections required for processing PD and PII in addition to information security. But not every control listed in the new standard has to be implemented. Instead, ISO/IEC 27701 requires reasonableness. Organizations must understand the particular context in which they process PD/PII and adjust the selected set of controls and related implementation of those controls in a way that is appropriate to their processing activities. The newly published standard applies to both controllers (as well as joint controllers) and processors (including sub-processors) of PII, regardless of the jurisdictions and sectors in which they operate, and also includes mappings to the GDPR and to the ISO/IEC 29100, ISO/IEC 27018, and ISO/IEC 29151 security frameworks. Mappings of the ISO/IEC 27701 requirements to other privacy laws, such as the California Consumer Privacy Act of 2018 (CCPA), the Gramm-Leach-Bliley Act (GLBA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA), should be expected and will likely aid organizations by providing a common standard for demonstrating compliance with these regulatory regimes. Organizations that follow the requirements of ISO/IEC 27701 will create documentary evidence of how they handle the processing of PD/PII, which may be used to facilitate agreements with business partners where the processing of PD/PII is relevant and to clarify the organization’s processing of PD/PII with other stakeholders. Although the GDPR does not yet have an accredited certification method, it is likely that in the near term, ISO/IEC 27701 could change that.

ISO/IEC 27701 At-A-Glance ISO/IEC 27701 is a new, privacy-oriented standard that extends the foundation of the widely-accepted ISO/IEC 27001 security standard. • To get certified on ISO/IEC 27701, organizations must first be certified on ISO/ IEC 27001. • ISO/IEC 27701 focuses on protecting personal information with new requirements and controls, and implementation guidance; Whereas ISO/IEC 27001 focuses on controls for basic security measures, • GDPR (and related privacy regulations globally) compliance can be demonstrated by certification on ISO/IEC 27701

INFORMATION GOVERNANCE WORLD

INFORMATION SECURITY AN INTERVIEW WITH DR. MANSUR HASIB, CYBERSECURITY LEADER

INFOGOVWORLD.COM

D Dr. Mansur Hasib

r. Mansur Hasib is a leader in the cybersecurity discipline, and a respected author and teacher. He has 30 years of experience (including 12 as CIO) leading organizational transformations through digital leadership and cybersecurity strategy in healthcare, biotechnology, education, and energy. His seminal book Cybersecurity Leadership (available in ebook, paperback, and audio) has been widely acclaimed by practitioners and scholars alike and is listed among the best IT and cybersecurity books of all time. In 2017, he won the International Information System Security Certification Consortium (ISC)2 Americas Information Security Leadership Award (ISLA) for leading the implementation of the Master of Science in Cybersecurity Technology degree program at University of Maryland Global Campus (UMGC). He also won the 2017 Cybersecurity Peopleâ&#x20AC;&#x2122;s Choice Award and the 2017 Information Governance Expert of the Year Award. In 2018, the Global Cyber Startup Observatory, based in Europe, inducted Dr. Hasib into their Hall of Fame and SC Magazine awarded UMGC the Best Cybersecurity Higher Education Program award. UMGC won this SC Magazine award again in this year. In 2019 Dr. Hasib was awarded the Outstanding Global Cybersecurity Leadership Award by the ICSIC in Canada. Mansur enjoys table tennis, comedy, and travel, and has been to all 50 states of the USA. IGW: Where did you grow up, and go to school? MH: I grew up and went to school in Bangladesh. You were raised by a single mother, what did she emphasize to you growing up? My mom taught me all I know about leadership. She emphasized making lots of friends and sharing knowledge with each other so everyone can be successful. She taught me to focus on things within my control and simply accept and work around things I could not control. She also told me to try as many things as possible in order to find out what I truly enjoyed and what I was good at. She also believed that trying many things develops different parts

of the brain. This helped me to develop my interdisciplinary perspective. You have been a CIO in the past; what sparked your interest in cybersecurity? I have discussed the following seven CIO roles in my book and also shared these at multiple conferences since 2010: 1. 2. 3. 4. 5. 6. 7.

Strategic Planning Building and Maintaining Relationships Cybersecurity Reliability and Quality Projects and Services Promoting the Organization Team Building

A CIO can never be successful without focusing on the mission success of an organization, the organizational risks, and implementing a proper IG framework. They must also ensure confidentiality, integrity, and availability of information. A CIO must also be able to engage people, policy, and technology to fulfill goals. In addition, they must ensure perpetual innovation. This is the essence of cybersecurity. What prompted you to pursue your doctoral degree? Who was your favorite professor, and what did you learn from them? Earning a doctoral degree was always a life goal for me. However, life events made it seem like it would never happen. I entered the fields of network engineering, IT, and cybersecurity as a practitioner and literally had to develop those disciplines with my colleagues as we progressed. We had sparse guidance and only our interdisciplinary business thinking and ethical focus to ensure the success of the organization and the people we were trusted to lead. Eventually, after a successful career as a practitioner, I wanted to build the next generation of business leaders who would be able to use cybersecurity and digital strategy to power modern organizationsâ&#x20AC;&#x201D;because that is what I felt was needed. I was disturbed at the obsolescence of business curriculums and the haphazard nature of many academic cybersecurity programs. So in order to enter academia and to develop graduate programs that I felt were sorely needed, I earned my doctoral degree in 2013. My favorite professor during my doctoral program was Dr. John Cordani, INFORMATION GOVERNANCE WORLD

INFORMATION SECURITY who taught me to understand the role of leadership in the field of cybersecurity. His course triggered me to write several chapters of my book Cybersecurity Leadership. He also served as the chair of my dissertation. What areas of need do you see that are not generally being fulfilled in cybersecurity education? Too many cybersecurity education programs focus simply on technology. People, policy—especially the leadership aspects of cybersecurity, are not taught in most programs. Too many have a computer science focus. Too many programs also have artificial barriers to entry. Too many focus on memory-based tests of knowledge. Organizations need doers. Knowing is not enough. We need people who can apply the knowledge to solve problems. We need people who can critically analyze issues. We also need good programs to be accessible globally at a reasonable cost. Our competency-based graduate cybersecurity programs at the University of Maryland Global Campus addressed these issues head on. Our innovations led to multiple awards for our programs as well as exponential global growth. We are currently serving 10,000 interdisciplinary graduate students globally. Anyone with a Bachelor’s degree in any field is welcome in our graduate program. What advice would you give to cybersecurity professionals just starting out? Visit my website https://www. cybersecurityleadership.com and go through all the free videos and learning materials, understand the vast nature of the field and figure out which area they can be passionate about. Network, attend conferences, write, speak, and helpful mentors who can expedite their success. What major trends and changes do you see rising in the cybersecurity landscape? 36

INFOGOVWORLD.COM

“

We need people who can apply the knowledge to solve problems. We need people who can critically analyze issues. We also need good programs to be accessible globally at a reasonable cost.” I am hopeful that more executives who understand digital strategy will continue to lead and make a difference.

Once again, a very difficult question as I cannot single out a book. However, two all-time favorites are:

It has been said that the next World War may be fought in cyberspace. What impact do you see emerging from nation-state cybersecurity attacks? We are already engaged in global cyber warfare. Some glimpses of the impact are already apparent and if left unattended or unaddressed the impact will continue to be amplified.

1. Good to Great, by Jim Collins, which talks about how executive leadership collaboration and focus on leadership of people can help organizations to thrive; and,

What is your favorite food, and why do you like it? This is not an easy question to answer as I have an eclectic palate. However, I do like Chinese food, prepared Bangladeshi style. This food brings back many fond memories. What is your favorite book, and why?

2. Do the Right Thing, by James Parker, which shares the story of Southwest Airlines and its ethical leadership culture, which shares the fruits of success with all people who contributed to that success— something I feel has always been the foundation of capitalism, but has been eroded over the last several decades. DR. HASIB MAY BE REACHED AT MANSURHASIB@GMAIL.COM, OR FOLLOW HIM ON TWITTER @MHASIB OR LINKEDIN: WWW.LINKEDIN.COM/IN/MANSURHASIB. TO ACCESS MORE CONTENT, VISIT: WWW.CYBERSECURITYLEADERSHIP.COM.

HEALTHCARE WORKERS OFTEN NOT TRAINED IN CYBERSECURITY AWARENESS BY BAIRD BRUESEKE

n 2018, the WannaCry malware epidemic knocked out more than 200,000 computers in 150 countries. In some hospitals, WannaCry encrypted the data on all devices, including medical equipment. The headlines associated with healthcare-related data breaches should make organizations implement security awareness training (SAT) programs to mitigate the risk of future attacks. Unfortunately, many organizations are responding slowly, if at all. A recent report by the cybersecurity firm Kaspersky finds that as many of 1/3 of healthcare employees have not received cybersecurity awareness training.1 The survey found that, by-andlarge, organizations are not learning their lessons after the first attack. Seventeen (17%) percent of the respondents said they were aware of a ransomware attack in the last five years. One third of those noted that the attacks had happened more than once. As IG World has pointed out in previous articles, SAT programs provide employees with the knowledge necessary to mitigate the risk of ransomware, data-breaches and other cybersecurity related incidents. Since the primary attack approach for ransomware is phishing emails, the survey’s documentation of multiple, repeated ransomware incidents at the same healthcare organizations is clear evidence that they are not implementing effective SAT programs. This laissez-fair attitude toward

cybersecurity training is irresponsible, The doctors’ lack of knowledge given the big economic cost of cyber makes them a significant security incidents—not to mention the threat to the organization. Their potential human cost. In a separate ability to identify phishing emails report, Kaspersky determined that was alarmingly low: 24% percent the average malware attack costs large of physicians displayed a lack of enterprises $1.2 million dollars. For understanding of phishing, compared small and medium-sized businesses, with 8% percent of office workers. the average cost is $123,000. In Verizon publishes a widely-read and addition to the financial impact, respected Data Breach Investigations cyber incidents have a significant negative impact on the “brand” of the affected organizations which may result in patients seeking alternatives for their healthcare. The findings of the Kaspersky survey are supported by another survey conducted by MediaPRO. The results of this survey A MediaPRO survey found that 50% were reported in the HIPAA percent of physicians represent Journal. The MediaPRO a cybersecurity risk. The doctors’ survey team contacted over lack of knowledge makes them a 1,000 US healthcare industry significant security threat. employees to assess their level 2 of security awareness. The MediaPRO survey assessed eight areas of cybersecurity knowledge. Astoundingly, despite the obligations that healthcare workers must safeguard patient data in compliance Report every year. The 2017 report with HIPAA regulations, healthcare found that 80% of healthcare data workers scored worse than the breaches were the result of human general business population on this error, with the most commonly assessment. successful attack being a well-crafted The survey discovered that phishing email. Combined with doctors were particularly bad at the results from the Kaspersky and understanding privacy and security MediaPRO surveys, it is clear that threats. Based on their answers, many healthcare organizations are 50% percent of the physicians in not providing their employees with the survey were classified as risks. effective Security Awareness Training.

50%

REFERENCE: [1] https://media.kasperskydaily.com/wp-content/uploads/sites/85/2019/08/16121510/Kaspersky-CyberPulse-Report-2019_FINAL.pdf [2] https://www.hipaajournal.com/healthcare-industry-employee-security-awareness/

INFORMATION GOVERNANCE WORLD

INFORMATION SECURITY

PHISHING ATTACKS ARE MORPHING – CHANGING TO BYPASS SECURITY TOOLS BY BAIRD BRUESEKE

srael-based Cybersecurity firm Ironscales reports that 42% of the phishing attempts they examined were “polymorphic.” Polymorphism happens when bad actors make slight and often random changes to an email’s artifacts such as its content, subject line, sender name or template. This method allows attackers to quickly modify phishing attacks so that they trick/bypass signature-based email tools, thus allowing different versions of the same attack to get into user inboxes. Over the past 12 months, Ironscales analyzed data from 200,000+ user inboxes and found 11,733 email phishing attacks that had undergone at least one permutation. HOW DID IT START?

Polymorphic phishing attacks were

“

first identified in 2016. Initially, the attackers just changed the embedded URLs pointing to their landing pages. Phishing pages generally exist as random URLs on the internet (not linked to or referenced by anything else). Typically, they are only deployed for a few hours. The short lifespan of these URLs makes it very difficult for automated scanning and blacklisting software to keep up with them. Thus, early on, a few minor changes in the URL structure was enough to bypass the cyber defense tools. THE EVOLVING THREAT

Defending against polymorphic email phishing attacks is a timeconsuming and burdensome task for security teams. Over time, the security tools became smarter and so the phishing tools evolved,

implementing new polymorphic methods to stay one step ahead of the tools. The increasing availability of low-cost phishing kits on the Dark Web is complicating the task of defending enterprise networks. Large scale attacks involving thousands of emails are easily blocked by spam filters. Therefore, polymorphic attacks generally begin with a smaller and more targeted standard phishing attack on an organization. Once one employee falls for the attack, the hackers have access to a credentialed account that they can leverage to send a polymorphic attack to other users on the network. The small (polymorphic) changes to each email are meant to prevent automated internal network security tools from screening the messages out. Once a polymorphic phishing

Over the past 12 months, Ironscales analyzed data from 200,000+ user inboxes and found 11,733 email phishing attacks that had undergone at least one permutation.” 38

INFOGOVWORLD.COM

THE WILD BUT TAMABLE WORLD OF THREAT INTELLIGENCE BY MARK VERON

T attack is underway, the IT team cannot blacklist the compromised accounts because they are within the organization...and the messages cannot easily be screened because they are not uniform in composition. THE SOLUTION

Companies are now turning to decentralized and distributed intelligence coupled with nonsignature-based email security tools that utilize AI and machine learning to identify similar attacks. AI and machine learning are the heart of behavior analysis systems which use algorithms combined with human feedback to recognize malicious intent. Their sophistication (from learning) increases with time and exposure.

he concept of threat intelligence has existed in our world much longer than any computer has. Over 1000 years ago in The Art of War, Sun Tzu made some of the earliest mentions of threat intelligence known to man. One can see this in his chapter about, “The Use of Spies” where he states that “foreknowledge about the enemy” is what enables a great general and wise ruler to strike and conquer. The same can be said in today’s modern world where social media participation and the ever-expanding network of IoT devices invade every corner of our lives while collecting petabytes of data. In a time where the frequency and quality of attacks has drastically increased, having a proactive vision of how your enemies develop their tactics into strategies is imperative. The polymorphic phishing attack is a good example of this point. CISOs should adopt and apply a survivalist’s mantra, “experience helps, but preparation saves.” The underlying importance of threat intelligence can often be the difference between being breached and possibly ruining a company; versus having taken proactive measures to minimize the impact so that a company may return to working order as quickly as possible. As Richard Bejtlich wrote in The Art of Network Security Monitoring, “it’s not if it happens, but when….” Most enterprises must employ some form of threat intel to protect their data, brand value, and most importantly, their customers. So what exactly are companies doing to better protect your data? In many enterprise environments it is typical to leverage various third-party threat intelligence feeds that align with the organization’s security operations. More sophisticated systems have the ability to stream directly into a Security Information Event Management systems (SIEMs) as alerts. Typically these feeds take on a software component with a GUI that leverages data sources that include but are not limited to: intel campaigns from within the dark web, network mappings and user behavioral analytics via AI, and using Python programming to query the Twitter and Facebook API in order to proactively hunt for any mention of cybersecurity news or potentially malicious outbreak. In addition, within the information security department, threat intelligence physically manifests itself into a dedicated team of specialists that are typically called Threat Hunters. These are the individuals who work together as operators (using the techniques above) to create applicable advantages within their respective environments and networks. Often such roles are not limited to one job, but rather a wide range of capabilities (reverse engineering, forensics, incident response) that feed a continuous and integrative threat intelligence platform within a security operations team. There are no major “Threat Hunter” certificate programs (though minor ones are offered by proprietary technology vendors). Being able to understand and master the world of threat hunting and threat intel takes as much scientific and technological understanding as it does the passionate expression of problem-solving and discovery. The best way to become proficient within this vast landscape is to immerse oneself within both the offensive and defensive sides of the realm; i.e., Red and Blue Teaming (which can be in the form of Capture The Flag [CTF] events). Having both perspectives of the cyber landscape allows the practicioner to not only think openly and abstractly about upcoming challenges but also be technically armed to undertake and deter what potentially might be the next big hit. In essence, developing a capable threat intelligence platform or team does not have to be a resource-intensive or tricky maneuver. With proper research and design any organization or entity can significantly increase its security posture, decrease its exposure, and be operationally ready to respond to an incident right when it occurs. MARK VERON, MS CSIA, IS A SENIOR SECURITY CONSULTANT AT OPTIV, THE WORLD’S LEADING SECURITY SOLUTIONS INTEGRATOR (SSI). MARK SPECIALIZES IN AWS CLOUD SECURITY AND INCIDENT RESPONSE (IR) SOLUTIONS. HIS CURRENT ASSIGNMENT IS TO DEVELOP AN AWS IR PROGRAM FOR A MAJOR AIRLINE. RECENTLY, MARK GAVE A TALK ABOUT MALICIOUS ADWARE CAMPAIGNS AND THE SOPHISTICATION OF MALVERTISEMENTS AT THE NEW YORK STATE CYBER SECURITY CONFERENCE. HE RELIEVES STRESS BY PRACTICING BRAZILIAN JIUJITSU. HIS CONTRIBUTIONS TO THE OPENSOURCE COMMUNITY ARE AVAILABLE AT HTTPS://GITHUB.COM/CYBERTROP. HE CAN BE REACHED AT MARK.VERON@OPTIV.COM

INFORMATION GOVERNANCE WORLD

INTERVIEW BY ROBERT SMALLWOOD PORTRAITS BY BO HALLENGREN PHOTOGRAPHY

DATA

THE

luminary DENNIS KESSLER OF THE EUROPEAN INVESTMENT BANK

DENNIS has worked in financial information management and change management in global organisations with an international career spanning more years than heâ&#x20AC;&#x2122;d like to admit. He has lived and worked in London, Hong Kong (five years), Osaka (five years) and Basel (Switzerland, also for five years, with the global banking standards-setting Bank for International Settlements) before taking on his current role in 2016 as head of data governance at the European Investment Bank in Luxembourg. 40

INFOGOVWORLD.COM

INFORMATION GOVERNANCE WORLD

I TAKE A SIMPLISTIC VIEW THAT DATA TENDS TO BE STRUCTURED AND MEANINGLESS WITHOUTÂ A CONTEXT.

INFOGOVWORLD.COM

He constantly sees how managing and governing data properly can help to break down organisational silos, boosting collaboration and helping to clarify and improve corporate data, processes and operations. All of this requires a change of culture with the managers of business areas becoming more directly accountable for data quality through meaningful ownership throughout the organisation. Dennis is passionate about improving the way organisations value and treat their data. His work involves building and strengthening data governance teams and establishing a data culture across complex organisations. More than just establishing policies and standards, this work focuses on raising awareness among every level of staff, especially senior management, that managing and governing data is not a technical task for IT – instead it focuses on people and processes and the handling of a precious resource. Ensuring data quality is a responsibility of every person who touches an organisation’s data in any way. Engaging and incentivizing the right people is a critical success factor in shifting to a more data-aware culture. Treating data as an asset means everyone has to view and handle it as the precious resource it is.

Where did you grow up? Go to school? London was my home until I went to university in Manchester, then returned to London to start my career as a SWIFT and financial messaging consultant. What are your responsibilities at the European Investment Bank? I lead the data governance team, which comprises our small central unit plus a network of data stewards who are permanently assigned to an individual directorate/ department. We focus on four key pillars: building a business glossary of both business terms and data objects; managing and improving data quality throughout the EIB Group; information architecture and data modelling; and the newest element, governance over “end-user computing” (EUC) tools. The banking best-practice principles for managing risk data, BCBS 239, have had a huge impact in the banking industry, as well as other regulations, by putting a big spotlight on data governance and data quality management. Finally, these areas are now recognised as long-term business challenges and no longer as some obscure project that sounds like it should be sitting quietly in a corner of an IT department. We are working to improve data quality and business accountability, among other data-management domains, by introducing a lasting data-aware culture. It’s definitely a very interesting time to be working in this field! How did you get into the data governance field? After returning to the UK from Japan in 1999, I did a lot of consulting work mostly with banks, which led to various

change management and business analysis roles. Significant highlights were a lead consultant role on a big global data management programme for UBS during 2007-08, and later the first information governance lead at the Bank for International Settlements (BIS) in Basel from 2011. How do you define data governance? It’s the framework of controls and processes which are regularly carried out to check how well data management activities are conforming the policies, standards and guidelines defined to achieve the desired good practices. They key to understand is that we do not govern data! Instead, we govern the various data management activities and practices. So data governance is sometimes misunderstood—we govern the data-related activities in order to identify and reduce any gaps between the goals and the reality. How do you see data governance in relation to Information Governance? I take a simplistic view that data tends to be structured and meaningless without a context. Data is a specific subset within the overall universe of information. In practical terms with non-specialist stakeholders, thinking of data as structured stuff that lives in databases and flows through business processes is easy to distinguish from documentbased information which tends to be unstructured. How has Brexit affected or will affect the European Investment Bank policies? The EIB is a not-for-profit institution which serves as the financing arm of the European Union. It exists to finance public-sector projects designed to support EU strategic development goals, including boosting employment, improving infrastructure (transport, water, electricity distribution and digital access), creating schools and hospitals, supporting green energy and environmental protection, etc. The Bank is owned and capitalised by its shareholders which are the EU member states. The UK was a 16% shareholder, and has enjoyed receiving over $7bn per year in long-term loans for the past few years. After the UK leaves the EU, it will no longer be eligible to receive such long-term development loans, which the vast majority of industry associations are deeply concerned about. However, the UK will have to continue repaying its existing loans for many years. Has the GDPR had an impact at the EIB? If so, what challenges did you face in preparing? There is actually a very similar but slightly different regulation which applies to EU institutions like the EIB, not GDPR. However, the goals are the same—as are the challenges. It starts with knowing what information you have, stored where and for what purposes, etc. Once you start to map the terrain, you can then start applying policies. The EIB deals with counterparties which are mainly themselves corporate entities. It doesn’t provide loans to individuals, so doesn’t have the same burden of INFORMATION GOVERNANCE WORLD

managing customer records and sensitive customer data as a typical retail bank. Nonetheless we are working to become clearer about what data we have, what we ask for from job applicants, consultants, and other service providers—then store and retain that data consistent with the lofty goals of GDPR. How is the EIB addressing the crypto-currency trend? Is it a threat to the traditional banking system? The EIB is completely separate from the European Central Bank, which based in Frankfurt and is the engine of banking supervision in the entire region. As a public-sector lending institution, the EIB focuses on development goals and not on banking trends and the regional banking system.

How many languages do you speak? How and where did you learn them all? I speak a few languages, most shockingly badly. I learned some Hebrew while studying at the Hebrew University in Jerusalem in the early 1980s for half a year. I learned some Arabic when I worked in Cairo for a few months while taking a break from university. I learned some Cantonese while living and working in Hong Kong as a SWIFT banking systems consultant in the early 1990s. It was 44

INFOGOVWORLD.COM

never conversational but I could argue with taxi drivers and order 20 kinds of dim sum without needing a menu or pictures. I learned decent Japanese during five years living and working in Japan in the late 1990s. My Japanese was just starting to get decently conversational when we relocated to the UK with a baby on the way. From 2011, I started learning German while working in Basel, in the German-speaking part of northern Switzerland. My German was OK but practicing wasn’t always easy as they speak a wonderfully strange dialect of “Swiss-German” over there, not the traditional “high German” of their big neighbour to the north. And having being based in Luxembourg since mid-2016, I’ve had the chance to improve my French, which isn’t too bad and getting better. I should add that my English also isn’t bad. I had the great good fortune to spend a couple of years working as a freelance business writer and journalist at the Economist Intelligence Unit in Hong Kong, where I wrote for the EIU and the Euromoney Group. The Economist Group has famously high editorial quality and superb punchy and tight writing. I was trained as a subeditor which gave me a lot of insights into the differences between good, bad and superb writing - more than anything else, it’s clarity and simplicity. That editorial training, together with the perspectives of knowing a few other languages, taught me a lot about my own native tongue. I really appreciate good writing and have enjoyed giving training courses in the mysterious craft known in the UK as “Plain English.” What do you like most about Luxembourg? Luxembourg is a tiny, charming and beautifully green country nestling between Germany, France and Belgium. The quality of life here is very high, and it’s heaven for people who enjoy hiking, cycling, and even just fresh air. It’s very clean - roads, paths and tracks are all immaculately maintained by the government and local authorities; as in Switzerland, it’s pretty rare to see even a single piece of trash on the ground. Standards of everything are very high—just like the cost of everything, which isn’t really surprising when you consider that little Luxembourg is by far the wealthiest country in Europe and one of the wealthiest in the world in terms of GDP per capita. Generally the people are friendly and helpful—not to mention amazing linguists. Most kids are brought up speaking French, German, English, and “Luxembourgish,” an enigmatic language which is really what often separates the true locals from the enormous percentage of foreign professionals living and working there with their families. The population is just over 610,000, almost half of whom are foreigners like me. Yet I’m always made to feel welcome, never resented. Luxembourgers are very pragmatic. They’re rightfully proud of their remarkable

INFORMATION GOVERNANCE WORLD

I REALLY APPRECIATE GOOD WRITING AND HAVE ENJOYED GIVING TRAINING COURSES IN THE MYSTERIOUS CRAFT KNOWN IN THE UK AS “PLAIN ENGLISH.”

INFOGOVWORLD.COM

little nation, and know that their continued prosperity depends on the steady supply of skilled professionals to help fuel their economy. Many non-resident foreigners work in Luxembourg but live over the border in neighbouring France, Germany or Belgium. And that reminds me about the only thing that everyone agrees to dislike about Luxembourg (apart from the high prices)— and that’s the traffic. Because the population literally doubles every day, as hundreds of thousands of people commute daily from over the borders, and then back out again. If you get the timing wrong, the traffic is among the worst anywhere in Europe. And that’s why the government is unilaterally making all public transport entirely free, in an effort to encourage people to leave their cars at home. And I have to mention how lucky we are to live just 20 minutes from the beautiful Moselle Valley, which produces magnificent white wines, especially the famous Reisling, as well as Pinot Gris and Pinot Noir. And then there’s the wonderful “Cremant”, which is Luxembourg’s traditional sparkling wine which usually rivals good French champagne. We now are truly blessed and spoiled in equal measure. What do you miss most about living in Basel, Switzerland, when you were with the Bank for International Settlements (BIS)? Despite being small it has a huge number of museums, including some of the world’s finest art galleries and museums. Also Basel is located right on the border with both France and Germany, which makes it easy to cross the border on a Saturday for your weekly grocery shopping or even just to get some fresh croissants. Also wonderful was being just a few hours’ drive from the lakes and mountains of northern Italy, as well as the magnificent Black Forest in southern Germany. But of course what we miss most of all is people. During five years of living and working we made a lot of good friends—who are still just a four-hour drive south. One of the things I miss the most is the “Fasnacht” traditional carnival group I was invited to join. These are made up of close communities of locals who share a real camaraderie and sense of living tradition and heritage. Fasnacht is a wild traditional three-day festival featuring indescribably surreal and sometimes even disturbing masks and costumes. I joined one of the most well-established “Guggemusik” marching bands, and learned to play the sousaphone (the big wraparound tuba that takes up the rear in typical marching bands). It was an especially rare honor for a non-dialectspeaking foreigner to be invited to join such a community— and indeed, “fitting in” and becoming part of the family is considered much more important than instrumental skill. Last year Basel’s Fasnacht carnival was elevated with UNESCO Intangible Cultural Heritage status. What hobby or special skill do you have that might surprise most of your colleagues? I’ve enjoyed a richly varied career which has been far from linear. Something which doesn’t appear on my resume is the

Chairing and speaking at international conferences on Data Governance and analytics is a great way to share ideas and experiences with fellow practitioners. Dennis enjoys making these events a lot livelier by driving discussions and knowledge-sharing on success factors - what works and what doesn’t in practice.

fact that while living in Hong Kong I worked as a part-time classical-music radio presenter and producer, and that work led to the strange, surreal world of dubbing Hong Kong kung-fu epics from Cantonese into English for international distribution. I worked with a skilled team led by expat friends and mainly hired by the big movie studio Golden Harvest as well as some Chinese film studios. I worked on some big productions featuring Jackie Chan when he was a huge star in Asia but before he broke into Hollywood. Dubbing the group fight and battle scenes was great fun but also tough. We needed training and a few rehearsals before recording. During one replay of a battle scene, it was undiplomatically pointed out that my character had continued wailing loudly long after being decapitated. Clearly it was time to retire and progress to data governance instead. And the rest is history.

SPECIAL THANKS

BO HALLENGREN is an editorial and commercial video and photographer with a style consisting of emotional and energetic imagery. Based in Luxembourg, his team are ready to create visuals that makes a difference for you: www.bohallengren.com

INFORMATION GOVERNANCE WORLD

Instructor-Led Classroom Training on IG with Leading IG Trainer Robert Smallwood Attend this popular classroom course held at one of the most beautiful college campuses in the world, the University of San Diego, which overlooks the Pacific Ocean. Taught by IG thought leader Robert Smallwood, the world’s leading trainer and author on IG topics, students get personal attention to ensure they grasp key IG concepts and can apply them to their work. The first day covers IG Basics including the IGP Certification Prep Crash Course, followed by two days of Advanced IG Training. The course is based on Smallwood’s groundbreaking text, Information Governance (Wiley, 2014, 2019), and also supplemental course materials.

3 Day Basic & Advanced Intensive Course

University of Miami November 19-21, 2019 (Tues-Thur) Tuition Cost: $1,695* (Group discounts are available for 3 or more from the same company.)

Past attendees include IG professionals from major law firms, leading corporations, and large government agencies, including:

Includes: Tuition, Breakfasts, Coffee Breaks, and Supplemental Materials. NOTE: You must purchase the textbook prior to class. Housing options include nearby hotels in partnership with USD.

World-class IG Training

University of San Diego April 1-3, 2020 (Tues-Thur)

3 Day Basic & Advan ced Intensiv Course e

* EARLY BIRD DISCOUNT: ($200 discount) Register By Nov. 1, 2019 Tuition Cost: $1,495

“The 3-day training was very educational, and the small classroom environment made it even more interactive.” —RIM Manager, Fortune 500 Corporation

Topics Include: • • • • • • • • • • • •

Failures & Lessons Learned in IG GDPR, Big Data Impact IG Imperative IG Principles Role of Data Governance in IG IG Risk Assessments Strategic Planning for IG IG Policy Development IG Program Management Infonomics: The Value Side of IG IG for Legal Functions & E-discovery IG for RIM

• • • • • • • • • • • •

IG for IT Privacy Functions in IG IG for Email, Social, Mobile, Cloud SharePoint IG Digital Preservation Information Asset Registers Taxonomies & Metadata Cybersecurity in IG IG for Emerging Technologies The Role of Executive Sponsorship in IG IG Best Practices Developing Key Metrics for IG Programs

Take advantage of this exclusive training opportunity to educate your IG team! Seating is limited, reserve yours today at IGTraining.com, or call us at 888-325-5914!

ANALYTICS & INFONOMICS

SUPERCHARGING

YOUR DATA MANAGEMENT STRATEGY WITH VALUE BY RICHARD KESSLER AND MICHAEL HENZEY, KPMG LLP The challenge: The need for a consistent, operationalized, defensible method for continuous assessment of data’s value, risk and compensating controls In today’s business environment, the most important strategic asset of any major enterprise is its data. Each enterprise has the business imperative to use data better to gain deeper insights, to improve decisions and to realize business value. Yet, as business leaders and data professionals know, with the increasing sophistication of users of data, new global data protection regulations, and ever-present cybersecurity threats, it is becoming more challenging to manage data at scale and speed. What’s more, with the impending arrival of 5G mobile broadband and the ever-expanding Internet of Things (IoT), these challenges will only continue to increase in number and severity as data volume, variety and velocity grow. New and novel approaches to managing data are needed to keep up with these disruptors. Indeed, if these challenges aren’t met, data assets that can be useful and valuable can become data liabilities, with the potential to severely harm an organization. Businesses can’t manage what they can’t measure. While organizations usually attempt to evaluate data risk, they rarely attempt to measure the value of their data. It is a testament to the poor state of affairs that many business leaders cannot look across their data portfolio and answer these fundamental questions: • What data do we have and where is it? How are we using it? • Have we applied appropriate High controls considering both Medium data’s value and risk together? Low • What data requires immediate action to protect Within Appetite in order to leverage the data Approved and unlock its actual value? • Lastly, businesses usually cannot answer one of the most important questions of all: Is my data actually worth the risk and cost of controlling it? 50

INFOGOVWORLD.COM

CREATE A DATA VALUE-RISK-CONTROL PROFILING MODEL One innovative capability for addressing these challenges is to utilize a data value-risk-control profiling tool. The tool uses a questionnaire, data value, risk and control scores, and simple backend logic to provide a normalized scorecard. The scorecard permits a streamlined, centralized review of data use cases across the organization. The approach does not attempt to evaluate the monetary value of data—that would be too hard to do at scale. Rather, the tool, based upon the enterprise’s collective subject matter expert knowledge of the data, leverages simplified algorithms as part of its approach to create a normalized score. Across multiple inputs, the tool automatically generates a scorecard assessment of the data’s value, risk, and controls. Moreover, depending upon an organization’s implementation of the model, it could also include an assessment as to whether the data set and the intended use is within risk tolerances/ appetite, and whether the use is approved or denied by a governing body. While this may seem simple, it provides something profound: a simplified approach to calculating data value and risk that is consistent and scalable. THE ROADMAP: PRACTICAL TIPS ON DEVELOPING THIS CAPABILITY While each business’s journey will be different, the approach to develop the data value-risk-control profiling model will have many of the same key steps: 1. Establish the committee and/or executive sponsor for this effort. If you don’t already have an Information Governance structure at your firm, establish a broad, cross-functional committee to spearhead the project. The committee should include all the professionals from related disciplines that should have a say in developing a data profiling model, including data management, analytics, RIM, legal, IT, Information Security, Marketing, Privacy, Compliance, Risk Management, as well as representatives from key

“

As we move further into the data-driven world, organizations must continuously improve their use and protection of data. ” LEFT: Richard Kessler BELOW: Michael Henzey

business lines. Additionally, like any change initiatives, lining up executive sponsorship is critical to mobilizing resources and sustaining support. 2. Assess the organization’s current state and identify what datarelated problems exist. Survey the organization to identify major data pain points to provide insight into which business areas or use cases the model should be deployed to first. 3. Create an enterprise strategy that has data value at its core and a timeline for transformation. Whether your company decides to take an incremental approach or tackles many moving parts in parallel, it is important to lay out a strategy upfront. This gives everyone structured and timely goals and metrics to meet and measure progress along the way. This strategy should be value focused: optimizing use of data as a strategic asset while addressing value enablement, holistically, and every time (e.g., managed data quality, data protection by design).

structure for how the model will be used in day-to-day operations. Basic logistics have to be worked out: When must a questionnaire be filled out for a data use case? Who fills it out? Who reviews the results? What are the effects of those decisions? How are decisions communicated to the requestor? Further, the committee should undertake an extensive socialization campaign to get the workforce comfortable. This should include training, playbooks, job aids and on-going awareness campaigns. Finally, all of this should be accompanied by a supportive message from leadership that encourages a change in culture going forward to embrace this enhanced approach to data governance. Developing a data value-riskcontrol profiling model, and the associated business processes to support it, may seem like a daunting task, especially when implementation is enterprise-wide. Organizations should consider focusing on smaller business domains or a limited set of use-cases first, and work to grow the model iteratively over time.

4. Develop a specific set of data elements and corresponding questionnaire. If your organization does not already have an inventory of a specific set of data elements, such as those constituting “sensitive data,” you’ll need to create one. Determine which data elements are important for inclusion in this set as a first initiative, and document critical metadata, such as where your data resides and data owners. Next, develop a standardized questionnaire that touches upon the unique value and risk factors that are relevant to your organization. This is where having a broad, cross-functional development committee is most important. Although agile approaches will likely work best—“fail fast fail often” – getting this step right to build support is critical.

CONCLUSION As data volumes, risks, and opportunities continue to grow, organizations should find new ways to manage, protect, and control data risk to unlock its value. Measuring data value along with data risk can allow for enhanced analysis of value, greater risk identification, and improved traceability of required controls. The lasting result of such an approach will allow businesses to safely maximize use of their most valuable data. As we move further into the datadriven world, organizations must continuously improve their use and protection of data. Understanding the value and risk of data across the firm, using solutions like a data value-risk-control profiling model, is a crucial first step towards becoming a data-driven business.

5. Develop an operating model, train and socialize. Finally, the committee will need to develop an operating model and governance

RICHARD KESSLER MAY BE REACHED AT RKESSLER@KPMG. COM. MICHAEL HENZEY MAY BE REACHED AT MHENZEY@KPMG. COM. BOTH WORK IN KPMG’S CYBER SECURITY SERVICES UNIT. THANKS TO SAMANTHA BOLET AND BROOKE SMITH WHO ALSO CONTRIBUTED TO THIS ARTICLE. Doug Laney

INFORMATION GOVERNANCE WORLD

RISK & COMPLIANCE GDPR BEST PRACTICES: A PRAGMATIC APPROACH BY BARRY MOULT

little over a year ago, my colleague Andrew Harvey and I presented an informal GDPR discussion at the UK-based Information & Records Management Society (IRMS) annual conference. It was just two weeks before GDPR went live on May 25, 2018. Our presentation was a ‘Smith & Jones talking heads’ (you can look it up on YouTube) sort of a ‘pub chat’—so with a pint of beer in hand (and one or two before!) we discussed in a light-hearted way what was required for GDPR implementation and what compliance meant for health and social care in the UK. This year at the same conference we based our presentation on the UK TV series, “One Foot in the Grave,” (again see on YouTube). I played the grumpy, miserable, moaning old man, Victor Meldrew, while Andrew played a sensible man at work reassuring that all was well with GDPR and it was now time to move to Business As Usual (BAU) And that is precisely the point: For many organizations, GDPR has become BAU. There have always been challenges, inappropriate access, data breaches, and investigations, so we just need to get on with it. We sought to reassure people that, if they were compliant with the old UK Data Protection Act 1998, then they were probably 80% compliant with the requirements of GDPR. It’s the other 20% that has been the problem for some. There is a greater emphasis on Data Protection Impact Assessments, Records of Processing Activity, and Breach notification. At the first-year anniversary of GDPR, (I’m not sure who was celebrating!) the UK regulator said that in the coming year she will be looking at Data Protection Officers embedded in organisations to ensure that organisations were applying the accountability principle (demonstrating compliance with the law). So where are we with GDPR almost (at the time of writing) a year and a half down the road? I read on LinkedIn and privacy websites that many organisations are not near compliant with GDPR, which is worrying, if true. Personally, I work with a number of health organisations all at varying stages of compliance. Some are charities with limited income, dependent on donations and sponsorships. They are delivering excellent health care but need support on GDPR compliance.

INFOGOVWORLD.COM

What do I see as the main problem areas? First let me say, many small (and not so small) health care organisations over the last two years have been fed misinformation and myths about GDPR, and correcting the impact of this has been a challenge (i.e. particularly, no one wants to admit they have taken wrong advice); and it has cost them in time and finances and many have had to start over again. In my work across different health organisations there are five main issues, each one needing thought, and a practical, pragmatic approach.

1. The use of ‘consent’ for direct care purposes, or should I say, ‘NO consent ‘required for direct care purposes. There is a difference between consent for clinical procedures and consent to share information for direct care purposes. I’ve been talking to many groups calling it out as ABC (Anything But Consent). The UK regulator has also commented that consent is not required for direct care purposes. GDPR article 9(2)(h) gives an exemption for direct care and we don’t need to ask the patient for consent to share. Yet due to misinformation, this is still a problem in the UK. However, I’m pleased to say the message is starting to get through. Consent may seem easy but it is complex, when it is for legal purposes. 2. Record of Processing Activity (Article 30). This is a huge issue for compliance. In simple terms, I ask if they have a record of data flows and an Information Asset

Register, and then the moment they left—no one kept it up to date, and it hasn’t been touched for a year or more. So to take a practical and pragmatic approach, to make it doable and easy to keep up to date, not onerous, or long winded: simply capture what is required (you can add to it later). I’d rather they did something than nothing (or doing it badly, because it is too long and laborious to do).

Register? I’m not sure whether to laugh or cry at some of the examples I’ve seen, which were, in a word, pathetic. They certainly would not demonstrate compliance. Do they know what information they have? Where the information is held? What’s the purpose of it? Who has access to it? How is it secured? Who is it shared with? How long is it kept? And what risk is associated with it? To me, one of the most important questions is; what is the legal basis for processing the data? Many—and I mean many—have not done this in a way that would demonstrate compliance with GDPR. The reason is not a willingness, but the size of the task they have been advised to carry out. I have seen many systems and spreadsheets that contain dozens and dozens of fields/columns. They are huge and onerous to complete, so they are simply put off. They don’t get done, or are done badly (lots of information missing). I know organisations who brought in a team of experts to do their data flows and Information Asset

and systems, but too late, and it is still happening, even though there is a legal requirement (in some cases) to complete one. I have about 3040 different DPIA templates from different organisations on my laptop; there is no right or wrong template, you need to find one that suits your organisation and customize it. Many of these DPIAs are just way too long, some as much as 20-30 pages. They don’t get completed correctly, and important information missing. Staff employees tell me they are too long and they don’t have time to do them. I advise a workable, doable DPIA which captures the important things about the data, the supplier, data flows. I describe

3. Data Protection Impact Assessment (DPIAs). Forgive me if I’m wrong, but there has always been a requirement to do them: they were written into project plans. How many times have I been told a new system or service is going live next week— (or in some cases has already gone live) and no DPIA has been done? I’ve seen unsafe practices

it as the Health & Safety Risk assessment for Information. Once completed (incidentally not by the Data Protection Officer – [DPO]), it should be assessed for any potential risks. Can any be risks be mitigated? Risks that can’t be mitigated must be owned by the organisation and documented. 4. My last ‘best practice’ tip is Document, Document, Document, Document, Have I said that enough? Document, Document. Every organisation makes decisions day by day on what information it holds, gives access to and shares with others. Sometimes this is not straight-forward. Sadly, the law is INFORMATION GOVERNANCE WORLD

RISK & COMPLIANCE 5.

“

...document, document, document your findings!” not always my friend, and there are times in health and social care when I have to recommend a decision based on ethical or moral grounds. It is not always easy; health data is complex. My advice is to document your decision, specifically what advice had been sought, and the rationale behind your decision. Will we always get decisions right? NO, but if an investigation or audit should take place you can demonstrate that you did all that was reasonable with the knowledge, advice and resources available to you. We have to demonstrate compliance with the law, and after working in the general field of Information Governance for nearly 25 years, I take a practical and pragmatic approach. In health, the patient comes first, and staff have limited time for the admin (as important as we believe it to be), but they need to be able to do it, and do it properly, yet without it being over 54

INFOGOVWORLD.COM

onerous. They need to be able to go back to it, to update it, or it will be out of date and non-compliant with the requirements of GDPR. 5. Carrying out ‘due diligence’ on suppliers of services to organisations is one last area of compliance I wish to address. Back in 2012, Brighton Hospital was fined by the UK regulator £325,000 (the highest fine levied at the time) after 252 computer hard drives containing information on thousands of patients were found for sale on eBay. A member of staff in the company responsible for destroying the hard drives removed them and put them on eBay for sale. When I heard about this, I immediately carried out an audit of what happened to hard drives from our old computers. I was determined that the same was not going to happen in my organisation. I literally followed a truck nearly 200 miles to the depot, and then I watched the process

of each computer or hard-drive being destroyed. I returned and completed a report. I did the same for off-site storage of records, and for the confidential waste destruction. I recall visiting a unit that printed letters for outpatient appointments, to see how that worked and if it was secure. Other due diligence activities with suppliers of services can include checking that they are compliant and up to date with standards, and registered with professional bodies, and have upto-date certifications. Sometimes it involves a simple website check, requesting copies of registrations and policies. I might even ask if they have a footprint in another organisation, and give that organisation a call. In the UK, all companies have to register with ‘companies house,’ so a quick search will tell about the company, its directors and submitted accounts. This again will demonstrate compliance with GDPR regulations, but please document, document, document your findings! Taking a practical and pragmatic approach to GDPR can help organizations meet their basic obligations, while minimizing the imposition on administrative employees. BARRY MOULT IS AN IG CONSULTANT FOLLOWING NEARLY 25 YEARS DELIVERING IG IN THE UK HEALTH & SOCIAL CARE SYSTEM. HE IS A DATA PROTECTION OFFICER, IG TRAINER AND CONFERENCE SPEAKER. HE IS CHAIR OF THE LARGEST IG FORUM IN THE UK, AND FORMER CHAIR OF THE NHS NATIONAL NETWORK.HE TAKES A PRACTICAL AND PRAGMATIC APPROACH TO DATA PROTECTION. BARRY IS MARRIED, WITH A SON AND DAUGHTER WHO CURRENTLY WORK IN THE NHS. MR. MOULT CAN BE REACHED AT BJM@IGPRIVACY.CO.UK

AN IAR IS GOOD FOR GDPR! BY REYNOLD LEMING

n Information Asset Register [IAR] catalogues and profiles the physical records, electronic content, data and applications that an organisation maintains. The General Data Protection Regulation [GDPR], and associated local data protection law, contains many obligations that require a thorough understanding of what personal data you process and how and why you do so. An IAR is a helpful tool for seeking and sustaining GDPR compliance in these areas. Whether in a spreadsheet form or (ideally) a database, an IAR provides the inventory of and insight to personal data that help in a number of ways. Examples include: Article 30, Records of processing activities: Many requirements for keeping records as a data controller for GDPR Article 30 can be supported by the information asset inventory. This includes the describing: • the purposes of the processing • the categories of data subjects • the categories of personal data • the categories of recipients • the categories of recipients to whom the personal data have been or will be disclosed • transfers of personal data to a third country or an international organisation • the envisaged time limits for erasure of the different

Gaining Personal Data Insight

Categories of Data Subjects

GDPR Article 30 Records of Processing Activities

Categories and Sources of Personal Data

Update Consent Forms/ Privacy Notices

Purposes of Processing

Respond to Data Subject Requests and Rights

Who shared with, How and Why

DP by Design and DP Impact Assessments

Time Limits for Erasure

Update Sharing Agreements

Protective Measures in Place

Mitigate / Report Data Breaches

categories of data • a general description of the technical and organisational security measures

• the purposes of the processing recipients • the period for which the personal data will be stored • whether the provision of personal data is a statutory or contractual requirement, legitimate interests pursued • the existence of automated decision-making

It will also help data processors keep a record of the categories of processing, transfers of personal data to a third country or an international organisation and a general description of the technical and organisational security measures. Keeping data subjects informed: Much of the information about personal data required for Article 30 compliance is also useful to meet obligations under Article 13 and Article 14, for example via privacy notices or

Meeting the rights of the data subject: Under Chapter 3 of the GDPR, data subjects have a number of rights. Understanding things like the location, format, use of and lawful basis of processing for different categories of personal data will enable

consent forms. Depending upon the circumstances, this can include: • the categories of personal data concerned • the source the personal data

will support responses to rights and requests relating to: • access • rectification • erasure INFORMATION GOVERNANCE WORLD

RISK & COMPLIANCE

COLLABORATION TOOLS HAVE AN IG PROBLEM BY BAIRD BRUESEKE

• restriction of processing • data portability • objection • automated individual decision-making Data Protection by design and default: Under Article 25 of the GDPR there are requirements for Data Protection by design and by default. Additionally, under Article 35 there are requirements relating to Data Protection impact assessments. The inventory can provide insight to which processes and systems need to be assessed based upon for example the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing. Monitoring sharing agreements: As aforementioned, it is important to identify who personal data is shared with. The inventory can support this as well as specifically enable monitoring of the existence or status or suitable agreements. For example, under Article 28 of the GDPR processing by a processor shall be governed by a contract or other legal act under Union or Member State law. Addressing security risks: Article 32 of the GDPR covers security of processing, with 56

INFOGOVWORLD.COM

requirements to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Then using the inventory you can assess the security measures inplace for assets against their level of confidentiality. It also can help with identifying the data sets where, if anything unfortunate were to happen, there are considerations regarding Article 33 Notification of a personal data breach to the supervisory authority and Article 34 Communication of a personal data breach to the data subject. In addition to the above, an IAR can also be used to record an ongoing audit trail about the assets. This is for example important to prove that retention and disposal policies are being adhered to. Therefore, an asset register can be used to record “transactions” against an asset such as when batches of paper documents are shredded or sets of electronic files or system data are digitally purged and destroyed. REYNOLD IS AN EXPERIENCED IG PROFESSIONAL, WORKING IN THE DATA SERVICES AND RECORDS MANAGEMENT INDUSTRY FOR OVER 30 YEARS. HE IS THE FOUNDER OF INFORMU SOLUTIONS, WHICH DEVELOPS AND PROVIDE AN INFORMATION ASSET REGISTER SYSTEM. REYNOLD IS ALSO VICE CHAIR OF THE UK AND IRELAND’S INFORMATION AND RECORDS MANAGEMENT SOCIETY. HE MAY BE REACHED AT REYNOLD@INFORMU-SOLUTIONS.COM

ajor corporations worldwide utilize collaboration tools to enhance worker productivity. In today’s workplace, employee mobility is essential. It is quite common for team members to be located in different cities, meeting and working together in virtual conferences, and sharing presentations which include multiple files in many different formats. The collaboration tool market is dominated by a small number of software platforms which include: Salesforce, Workday, OpenText and Oracle’s NetSuite. All of these collaboration platforms utilize in-line viewing software to share the information on the presenter’s computer with other team members. This practice is in line with Information Governance (IG) best practices because it shares information visually, but does not actually transfer files from the host computer(s) to other, external computers not under the control of the organization. This maintains control of information assets. The implementation of enterprise class collaboration platforms has allowed corporations to tell auditors that the risk of data exfiltration via file sharing has been abated for this activity and that ubiquitous sharing of intellectual property amongst virtual team members is OK, and in compliance with the appropriate regulatory guidelines. In many ways, this perception has sped up the adoption and use of the major collaboration platforms. Unfortunately, the “Everything is OK” message is disingenuous because all of the major software vendors have some specific problems with their In-line display technology. The basic issue is that all the collaboration software vendors have problems displaying certain types of files. Although not necessaarily a daily occurrence, the “No Preview Available” message is a known issue within the collaboration platform user community. In today’s fast-paced economy, it is typical for team members to overcome this roadblock by sharing files via email, contrary to the organization’s IG policies and opening up the risk of intellectual property (IP) loss and compliance failure.

To understand this issue in more detail, consider that organizations typically have two types of content: transactional and fixed. Transactional content is agile and subject to editing. It is almost always created with a Microsoft Office product (Word, Excel, PowerPoint). Conversely, fixed content is at the end of the creation lifecycle, typically published and stored in ISO standard PDF/A-1 format. The most common root cause for the in-line display failure are the many versions of MS Office and the associated feature updates, which sometimes require a patch or a plugin in order to be fully functional. The collaboration platforms incorporate content viewing technologies which are challenged to accurately translate or convert Office files. These product failures result in poor customer experience and additional labor costs. In the best scenario, members of the presentation team convert the non-functioning file to a newer format and reschedule the meeting for a time when it can be properly displayed. In the worst case, the presenter emails the file to team members in an attempt to overcome the roadblock in real-time and thus keep the schedule on track. An anecdotal story may help to illuminate the various issues with in-line display technology. Consider the scenario in which a senior director with P&L responsibility for a $100-million-dollar manufacturing unit is making his quarterly report to the executive team. The meeting starts out with all the normal pleasantries, then four slides into the presentation, there is a collective gasp… it seems like output has dropped 15%! What’s really happened is that the display technology transposed the green and red colors on the chart. The senior director is puzzled by the “virtual room’s” audible response. His factory is doing great. They are exceeding expectations. The CEO interrupts the director, berating him for not giving the executive team a heads up that bad news was coming. The director still does not understand what has gone wrong, since the charts he is looking at depict the story he was excited to tell. Five minutes later, the disconnect has been identified, apologies made and the team attempts to regain the lost momentum. This unpleasant situation actually occurred during the Spring of 2019. Even though the disinformation resulted from an in-line display issue, the executive team lost confidence in the division manager and he did not get the performance bonus he had been anticipating. IG World has determined that the in-line display technology deficiencies in popular collaboration tools represent a significant IG policy compliance risk. These deficiencies exist in all the major platforms including: Salesforce, Workday, OpenText and Oracle’s NetSuite. We believe this issue is being swept under the rug at many organizations and therefore it is our responsibility to publicize it so that the IG teams responsible for organizational risk and compliance can take action to address this problem.

8 of 10 Information Governance Programs fail to meet their stated business objectives.

RISK & COMPLIANCE

EMPLOYEE PRIVACY BY DESIGN: GUIDANCE FOR EMPLOYERS BEGINNING TO COMPLY WITH THE CALIFORNIA CONSUMER PRIVACY ACT

BY JUSTINE PHILLIPS, JESSICA GROSS AND DANIEL MASAKAYAN

n September 13, 2019, the California Senate and Assembly unanimously passed an amendment to the California Consumer Privacy Act (“CCPA”) that places onerous obligations on employers and entitles employees to statutory damages for data breaches. As of the date this article was written, AB 25 awaits Governor Newsom’s signature. Regardless of whether AB 25 is signed into law, CCPA applies to employee data and employers have until January 1, 2020 to comply. This article explores how the California Consumer Privacy Act impacts existing employee privacy rights and how employers can begin to develop a holistic privacy compliance program. What Businesses Are Covered by the California Consumer Privacy Act? The CCPA covers for-profit “businesses” that do business in California and meet any one of the following thresholds: • Gross annual revenue exceeds $25 million; or • Buys, receives, sells, or shares personal information of 50,000 or more consumers, households, or devices; or • Derives 50% or more of its annual revenue from selling personal information. Businesses do not have to be located in California for CCPA to apply. CCPA applies if one of the foregoing thresholds is met, the Company does business in California and the business has “consumer” data covered by the Act. Under CCPA,

INFOGOVWORLD.COM

“consumers” is broadly defined as any “natural person who is a California resident.” (Civ. Code § 1798.140(g).) Are Employees “Consumers” Under CCPA? Since CCPA’s passage in June 2018, there has been fierce debate about whether “consumers” include employees. AB 25 has laid that debate to rest and made clear that “a natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business” would immediately receive some rights under the CCPA. (Civ. Code § 1798.145(g)(1)(A).) AB 25 will also extend rights beyond employees to include individuals identified by employee as emergency contacts and also employees’ dependents whose information was provided to administer benefits. In 2021, such individuals would be afforded full rights under the CCPA. (Id. at § 1798.145(g)(4).) If AB 25 is vetoed, then these individuals will receive all rights under CCPA on January 1, 2020. For simplicity, when we refer to “employee data” throughout this article, we intend to include applicants, current/ former employees, independent contractors, and owners/ directors/officers/dependents, and emergency contacts. Understanding Employee, Dependents and Emergency Contacts Privacy Rights – The Beginning of the End In the Golden State, employees have long enjoyed greater rights to privacy and statutory rights to inspect employment records. Like all Californians, an employee’s right to privacy

begins with the California Constitution and is bolstered with various laws. Employment records are deemed confidential and protected from disclosure absent a subpoena and consumer notice. Civ. Code Proc. § 1985.6(e). Employees also have a statutory right to inspect the following employment records: payroll records (Lab. Code § 226); documents signed during employment (Lab. Code § 432); records related to performance or a grievance (Lab. Code § 1198.5); and OSHA records for employee exposures to potentially toxic materials (Lab. Code § 6408(d).). Failure to comply with these inspection rights gives rise to statutory damages. For example, Labor Code 226 requires employers to allow inspection of payroll records within 21 days after a request is made, or else the employee is entitled to $750 in statutory damages. Until now, an employee’s right to inspect employment records was limited to the foregoing categories. CCPA dramatically expands employee rights in three significant ways: (1) it requires mandatory privacy notices and disclosures about the data collected by employers and purpose for collection; (2) it provides for statutory damages ranging from $100-750 if sensitive personal information is breached; and (3) it expands the right to request access/ deletion of personal information. Mandatory Employee Privacy Notices Beginning January 1, 2020 Employee privacy disclosures and appropriate use policies are nothing new. Such policies are typically used to inform employees of workplace monitoring and diminish expectations of privacy. California courts reinforce the importance of employers maintaining and widely publicizing an employee privacy notice with respect to the use of technology in the workplace. Courts have consistently upheld an employer’s right to monitor its employees’ computer use and override other privacy/confidentiality interests so long as there is a clear policy that employees have no expectation of privacy to data transmitted on company systems. AB 25 will expand the scope and content of such employee privacy policies. As of January 1, 2020, employee privacy notices must also disclose: • The categories or personal information the company has collected; and, • The purposes for which the categories of personal information will be used. “Personal information” is omnipotently broad under CCPA and includes “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer.” Civil Code 1798.140 (o)(1). The definition goes on to identify 11 categories and data elements like “professional or employmentrelated information,” “education information,” “identifiers,” “characteristics of a protected category,” “biometric information,” “internet activity,” “inferences drawn regarding a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and

Lack of Information Governance training is the leading cause of IG Program failure.

RISK & COMPLIANCE aptitudes,” and “geolocation data,” to name a few. Simply put, employers must disclose all categories of personal information it collects, its purpose, and how the information will be used.

Code § 1798.150(a)(1).) Similar to PAGA, CCPA allows consumers to bring a cause of action on behalf of others similarly situated which will make these claims ripe for class action litigation.

Enforcement. For now, there is no private right of action for failure to comply with these rights. Instead, the Attorney General has sole and exclusive jurisdiction to enforce these violations.

Employee Rights to Access & Request Deletion of Data Beginning January 1, 2021 In addition to the disclosures above, AB 25 amends the CCPA to extend full protection and statutory rights to applicants, employees, and independent contractors, including: • The right to request a business disclose what personal information the company has collected; • The right to know what personal information is being sold or disclosed and to whom; • The right to request and receive a copy of all of the above information in a readily useable format; • The right to request that the company delete their personal information (the right to be forgotten); • The right to opt out of the sale of their personal information; and, • The right to be free from retaliation for exercising any rights. • The obligation to comply with a deletion request is subject to numerous exceptions, including the right to keep data that must be maintained for other legal purposes or is consistent with the internal purpose for which it was collected. The majority of employee or applicant data will likely fall into one of these two exceptions.

Statutory Damages ($100-750 per Consumer) for Data Breaches Beginning January 1, 2020 In 2002, California passed the first data breach notification law in the world (see Civ. Code § 1798.81.5) and required businesses to “reasonably secure” personally identifiable information. That law has evolved through the years, and today requires businesses to notify consumers (including employees) in the event any of the following sensitive personal information is accessed by an unauthorized user: • An individual’s first name or first initial and his or her last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted: • Social security number; • Driver’s license number or California identification card number; • Account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; • Medical information; or • Health insurance information. • A username or email address in combination with a password or security question and answer that would permit access to an online account. Enforcement. CCPA gave the old law a new (and expensive) attitude by providing consumers with a private right of action to recover statutory damages ranging from $100-750 per incident, per employee, if any of the information listed in the breach statute is subject to unauthorized access or disclosure. (Civ. 60

INFOGOVWORLD.COM

Enforcement. For now, there is no private right of action for failure to comply with these rights. Instead, the Attorney General has sole and exclusive jurisdiction to investigate these violations. Beginner’s Mind: What Can Employers Do to Prepare for CCPA? Every day we get a chance to begin again. Below is actionable guidance to kickstart your employee privacy by design program or update existing privacy programs: • Data Mapping. Maya Angelou once said “if we know better, we

do better.” If we know what data our organization maintains, we can do a better job meeting our legal obligations under CCPA. Document a comprehensive inventory of employee data. Knowing what employee data your organization collects is critical for two reasons: (1) disclosure obligations and (2) security obligations. A business cannot secure data if it does not know where it lives. Human Resources questionnaires or live interviews can help solicit feedback from key stakeholders to identify personal information collected for payroll, benefits, HR, tax, IT and other employment purposes. Once you know how employee data flows in and out of organization, prepare a visual diagram to help navigate other tasks. • “Reasonably Secure” Sensitive Employee Data. Reasonable security for sensitive data is not a new requirement, but the risk imposed by CCPA puts security at the top of our list for immediate action. After data mapping is complete, classify as “sensitive” any data that includes protected elements like Social Security Number, Driver’s License Number, financial information, health/ insurance information, or username/ password. As previously reported, the California Attorney General opined in a 2016 Data Breach Report that “reasonable security” of sensitive data includes encryption, multi-factor authentication and compliance with Center for Internet Security’s Critical Security Controls. Consult with a qualified cyber security consultant to conduct a “reasonable security” assessment for employee data. • Vendor Management. CCPA has flow-down provisions that require you to understand how third parties use, share and secure that data. Identify third parties and vendors that receive your employee or applicant data (e.g., payroll companies, health/ benefits/wellness providers, HR consultants, staffing agencies, etc.). Once identified, conduct vendor inquiries and diligence about how

they use, share and secure the data. CCPA requires specific language be included in third party agreements to qualify as a service provider (which offers some safe harbors for CCPA violations). To the extent third parties receive sensitive data like Social Security Numbers, Drivers License numbers, financial information, health information, etc. make sure they have implemented strong security to protect the data. For example, a new threat is targeting a known vulnerability that is commonly used to support Human Resources, applicant and recruiting software and applications. Confirm with your vendors they have mitigated the risk of the XML External Entity Processing vulnerability. Applicant data contains a treasure trove of sensitive data and notice is required if that data is breached—even if the breach occurs on your vendor’s website and not your own systems. • Data Minimization Principles. All good privacy by design programs reduce the amount of data collected to the minimum amount required to achieve its objective. Consider updating and enforcing your document retention policies to reduce the amount of data maintained. In the employment context, make sure former employee files are routinely destroyed pursuant to the retention schedules. Also, analyze whether the benefits of collecting data outweigh the risk. If so, limit the amount of data collected and maintained. • Update Employee Privacy Policies. Dust off existing employee privacy policies and include disclosures about categories/types of information collected and the purpose for its collection. Whether in employee handbooks, stand-alone disclosures, onboarding documents, or online privacy policies, business should update their disclosures to ensure they provide all the necessary information required by CCPA and other relevant privacy laws. • Applicant Privacy Disclosures. Similar to employees, applicants also must receive disclosures about data collected and its purpose for collection. Consider including disclosures on application forms or landing pages for online applications. Confirm any third party hosted application or recruiting platforms are CCPA compliant and have signed a CCPA Privacy & Security Addendum to qualify as a “service provider.” You can also include CCPA disclosures on a separate stand-alone form. Do not include CCPA with FCRA/ ICRA disclosures. • Independent Contractor Disclosures. AB 5 codifies Dynamex Oct 4, and makes classification of independent contractors difficult in California. Given the anticipated wave of litigation expected, make sure to update any independent contractor agreements to confirm they are CCPA compliant and make adequate disclosures about data collection. The Beginning is Always Today All good stories have a beginning, middle and end. Employee privacy is no exception. We find ourselves at the beginning of a movement that will continue expanding employee rights. If AB 25 is signed, this will only provide a temporary reprieve for employers under the CCPA. However, by January 1, 2021, all applicants, employees, and independent contractors will have full rights under the CCPA, which include the rights to request and delete information.

We can help. We are the world’s leading provider of IG training. Our instructors leverage best practices, metrics and real world experience to help you succeed. Call us today.

Call us at: 1.888.325.5914 or visit us at IGTraining.com

LEGAL & eDISCOVERY

THE SEDONA CONFERENCE OFFERS UPDATED GUIDANCE ON LEGAL HOLDS BY BRAD HARRIS

n June 2019, The Sedona Conference released an updated version of its, “Commentary on Legal Holds: The Trigger & The Process.” This article provides an overview of the Commentary, including changes adopted in the latest edition, and how IG professionals can benefit.

THE SEDONA CONFERENCE®

The Sedona Conference is a non-profit research and educational institute dedicated to the advanced study of law and policy. Its expert practitioners strive to fulfill the mission of “moving the law forward in a reasoned and just way” by providing written commentaries, principles, and best practice recommendations. The Sedona Conference guidelines are widely recognized and often cited by the courts as providing practical approaches to key legal issues. The “Commentary on Legal Holds: The Trigger & The Process” was first published in 2007 to provide guidelines for determining when a legal duty to preserve relevant information arises, as well as how to scope an organization’s preservation efforts. Often referred to as the ‘Legal Holds Commentary’ it quickly became a highly respected resource for parties faced with the daunting task of recognizing and responding to an organization’s preservation obligations. 62

INFOGOVWORLD.COM

The long-anticipated second edition to the Commentary was published in June 2019. The drafting team sought to incorporate amendments to the Federal Rules of Civil Procedure issued in 2015—changes that emphasized proportionality in discovery and addressed consequences arising from the loss of discoverable electronically stored information (ESI). The team also sought to reflect evolving state and federal case law on preservation and spoliation, and to provide updated guidance regarding new and emerging sources of information and technology. THE DUTY TO PRESERVE In 1722, a case of missing jewels established a common law duty requiring parties to a litigation to preserve relevant evidence. In the Armory v. Delamirie case (Court of King’s Bench, 1722), a jeweler had absconded with jewels from a ring, brought in for appraisal, and failed to produce them at trial. Unable to establish the value of the missing jewels, the Court ordered the defendant to compensate the plaintiff for a “diamond of the finest quality.” Without evidence to the contrary, the court in essence delivered an “adverse inference” about the loss. Evidence is crucial to our system of justice, and American civil procedures are dependent upon a fair and equitable pre-trial procedure known as discovery. Parties to litigation have a right to seek information about claims

and defenses that are in dispute, allowing that the data being sought is nonprivileged (i.e., not subject to protections such as attorney-client confidentiality), and proportional to the needs of the case. In order to ensure evidence is available to a requesting party during discovery, it must first be preserved. This legal duty to preserve data arises as soon as litigation is reasonably anticipated. Further, the failure to preserve relevant information either through its destruction or alteration, can have serious consequences. Such “spoliation” of evidence can lead to court-imposed curative measures and sanctions against the spoliating party. Actions can include requiring additional discovery in an effort to replace lost information, or incurring costly monetary fines. In the most egregious cases where a party is found to have intentionally destroyed information, sanctions can be imposed by the court to preclude the use of evidence, grant an adverse inference about what the lost data means to the case, or even dismiss the case and enter a default judgment. THE COMMENTARY ON LEGAL HOLDS The Commentary on Legal Holds paper is designed to help parties understand their preservation obligations, and to establish a set of best practice recommendations when determining how to respond to a duty to preserve. With no clear delineation specified in Federal and State rules as to when a party is obligated to start preserving information, nor what constitutes “reasonable and good faith” efforts, the updated Commentary lays out twelve guidelines to serve as a framework for developing preservation procedures tailored to an organization’s needs. The first six guidelines in the Commentary (Guidelines 1 through 6) address when a duty to preserve begins—the so-called “trigger event” that results in a party having an obligation to preserve data. Like many aspects of civil litigation, there is no “bright-line” that defines when

a triggering event has occurred (the oft-heard “it depends” response from a lawyer). Rather, the obligation arises when an organization, “is on notice of a credible probability that it will become involved in litigation, seriously contemplates initiating litigation, or when it takes specific actions to commence litigation.” When does a situation rise to the level of triggering a duty to preserve evidence? At times, there may be a clearly recognized event: the receipt of a complaint or demand letter, notice of a lawsuit, or initiation of a regulatory action (e.g., an EEOC claim). Or it may be something less black-andwhite, such as an ongoing contract dispute, an employee complaint, or a customer concern. The instigating event may be related to other actions, like a third-party subpoena request where the organization has the potential to become a party to the litigation, or a regulatory inquiry that suggests potential litigation. Because determining if a duty to preserve arises can be very factspecific, the Commentary offers guidance on factors to consider when evaluating the potential for litigation. It also emphasizes the importance of adopting consistent policies and procedures for making such a determination. For example, Guideline 2 describes how “adopting and consistently following a policy governing an organization’s preservation obligations” is often a key element of determining reasonableness and good faith. The second set of guidelines (Guidelines 7 through 12) provides recommendations on how best to respond to a preservation duty. Once the duty to preserve is recognized, the scope or extent of that duty must be determined—specifically, what information will be subject to discovery as being “relevant to any party’s claim or defense and proportional to the needs of the case.” Determining the scope of a legal hold is addressed in Guideline 7 of the Commentary. In determining a reasonable and proportional scope for preservation, an organization

will typically start with identifying the anticipated claims and defenses at issue. Who are the key players with knowledge or information relevant to the case? What types and sources of information are involved, and where is it retained? How can the scope of the hold be described and/or limited, such as articulating the subject matter, applicable file types, a date range, or geography?

“

...expert practitioners strive to fulfill the mission of ‘moving the law forward in a reasoned and just way...’” Once an obligation to preserve has been identified and the scope of that duty determined, the next step is notifying those who have possession or control over that information of the need to act to prevent its alteration or destruction. Most commonly, this includes issuing a written legal hold notice. Guideline 8 articulates elements of an effective legal hold process, including communicating details to custodians on what needs to be preserved, how preservation should be undertaken, and whom to contact with questions. An effective hold process includes a mechanism INFORMATION GOVERNANCE WORLD

LEGAL & eDOSCOVERY for ensuring that recipients have received, understood, and agreed to comply with the hold instructions. Best practices include sending regular reminders during the life of a hold, and periodically reviewing and amending instructions if the scope of the hold changes. Guidelines 9 to 11 explain the importance of documenting the actions taken in response to the preservation obligation, and of regularly monitoring compliance with the hold. Finally, when preserving information is no longer necessary, the final step in the process is releasing the hold and instructing hold recipients to resume normal retention and disposition procedures. Guideline 12 was added with the latest edition of the Commentary to recognize the importance of considering data privacy regulations as part of an organization’s legal hold process. Regulations such as the EU’s Global Data Protection Regulation (GDPR) and local rules such as the California Consumer Protection Act (CCPA) offer privacy protections that may affect how employees are directed to preserve or collect data necessary for discovery. Regulations like these articulate the rights of data subjects, such as the right to consent to how personal data is to be used or transferred. Privacy regulations may also place limitations on the flow of data across international borders. For IG professionals, the Commentary on Legal Holds offers useful illustrations and recommendations to better inform retention and disposition policies, improve legal hold procedures, and enhance business practices to reduce cost and mitigate risk inherent with responding to preservation obligations. The Commentary on Legal Holds, Second Edition: The Trigger & The Process is free to download for personal use from The Sedona Conference’s website at https:// thesedonaconference.org/publication/ Commentary_on_Legal_Holds). BRAD HARRIS IS A DISTINGUISHED FELLOW FOR EDISCOVERY AT ZAPPROVED LLC, A PIONEERING LEADER IN CLOUD-BASED EDISCOVERY SOFTWARE FOR CORPORATE LEGAL AND COMPLIANCE DEPARTMENTS. BRAD HAS EXTENSIVE EXPERIENCE ASSISTING ENTERPRISE ORGANIZATIONS ENHANCE THEIR EDISCOVERY READINESS THROUGH TECHNOLOGY AND PROCESS IMPROVEMENT. BRAD IS A FREQUENT AUTHOR AND SPEAKER ON DATA PRESERVATION AND EDISCOVERY ISSUES AND IS AN ACTIVE MEMBER OF THE SEDONA CONFERENCE WORKING GROUPS 1 & 6. HE MAY BE REACHED AT BRAD@ZAPPROVED.COM

INFOGOVWORLD.COM

News

EPIQ LAUNCHES GLOBAL IG SERVICES TO MANAGE SENSITIVE LEGAL AND CORPORATE DATA Epiq, a global leader in the legal services industry, announced enhanced Information Governance (IG) services to help clients efficiently and compliantly manage their electronically-stored information in all environments, including on-premise, cloud, or in hybrid systems. Moving to the cloud increases internal collaboration capabilities and can be a transformative shift for high performing businesses. Epiq now has announced improved capabilities to help companies globally drive efficiencies in their business, control their data management and eDiscovery costs, as well as reduce the risk of regulatory-related fines. “IG is a not a single, one-time event; it is a journey,” said Tammy Klotz, Director of Information Security at Versum Materials. “The art is balancing protection and productivity to match your organization’s risk appetite. You cannot do this alone. We have had a couple of false starts.” Roger Pilc, president of legal solutions, Epiq stated, “Our capabilities have substantially improved since 2018 when we acquired Controle LLC, an innovative IG-focused SaaS software and professional services firm. With the additional expansion of our global IG practice, Epiq is uniquely able to provide clients with the industry’s most robust and efficient tools to control digital information and mitigate regulatory, compliance, and security risks.” The new information governance services at Epiq include: Data compliance: Microsoft Office 365 data compliance enablement services at Epiq help clients configure solutions to address requirements of the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other data privacy laws

and processes, including data subject access requests. Additionally, Epiq helps enterprises create legally defensible retention policies and strategies as well as assists with data discovery and classification. Data migration: Epiq supports migration of legacy workloads and disparate data stores to the cloud, including email, SharePoint files, on premise files, and social media data. The suite of services provided by Epiq includes legally defensible migration and deletion methods that help reduce overall costs for an enterprise. Data security: Microsoft Office 365 data security services from Epiq help clients enable the complete suite of services offered in the Office 365 Enterprise Mobility and Security (EMS) Suite. The service manages security breach identification, incident response, security score improvement, and data breach notifications. As part of this process, Epiq helps clients execute the proper data classifications needed for effective EMS Suite usage. In addition, Epiq has increased its global privacy compliance expertise by hiring a breadth of talented individuals who support and manage the Microsoft Office 365 data security and compliance services at Epiq. The IG team of experts has proven experience in privacy policy, compliance, information management, security, and information technology in addition to offering robust consulting services in North America, EMEA, and APAC regions. Epiq is a Microsoft Gold Certified Partner and participates on the Microsoft Security and Compliance Partner Advisory Council, which is an invitation-only council of experts who advise on Microsoft 365 product.

X1 CLOSES $5.1 MILLION SERIES B FUNDING TO EXPAND ON STRONG GRC AND EDISCOVERY TRACTION ZAPPROVED & NUIX PARTNER IN PROCESSING FOR IN-HOUSE LEGAL TEAMS Zapproved LLC and Nuix have entered into a strategic technology alliance that will integrate Zapproved’s ZDiscovery platform for managing in-house litigation response with the Nuix processing engine for electronic discovery. Zapproved stated that this partnership will improve the platform’s speed, file coverage, and flexibility of their ZDiscovery platform by leveraging powerful processing capabilities of Nuix. The integration of the two platforms will be available to Zapproved’s users in 2020. Monica Enand, CEO and Co-founder of Zapproved stated,“We are seeing a surge in adoption of our early case assessment (ECA) and review product among inhouse legal teams, and we saw an opportunity to further enhance our platform with the Nuix processing engine by integrating it with the industry’s leading legal hold management system used by hundreds of enterprises. We work in partnership with others in the ediscovery ecosystem, and this is a creative path to work with a proven leader to further support our many hundreds of in-house teams.” Rod Vawdrey, Group Chief Executive Officer of Nuix added, “Nuix and Zapproved have worked together for many years and this is a natural step in our relationship.” According to the BDO’s 2019 Inside E-Discovery & Beyond survey published in April 2019, “[a]s the volume of data explodes and data privacy and regulatory compliance concerns grow, 71 percent of corporate counsel are considering leveraging technology and/or best practices to streamline their legal operations in the next 12 months…. That number climbs to 91 percent for organizations with annual revenues of over $1 billion.” Zapproved echoed these findings saying that growth of in-house processing and review systems is accelerating in response to the need to lower eDiscovery costs and increase data security.

In early October, X1™, a global leader in enterprise-class, distributed governance, risk management & compliance (GRC) and eDiscovery software, announced a $5.1 million Series B funding round led by Palisades Growth Capital. Former head of HP Software, George Kadifa, also participated in the funding, which benefited from the company’s strong, recent traction and experienced management team led by CEO Craig Carpenter and CTO Brent Botta, both veterans of highly successful eDiscovery, GRC and cybersecurity startups like Fortinet, and Recommind and Guidance Software. X1 will use the Series B proceeds to hire aggressively in development and sales, and to expand its global channel network and brand to meet rapidly increasing demand. The global enterprise GRC market is expected to be worth $64.62 billion by 2025 while the eDiscovery market will hit $17.32 billion by 2023. X1’s unique distributed architecture, which allows compliance, cybersecurity, eDiscovery, forensics and privacy teams to access employee data in-place in real-time, whether on laptops, servers, in SaaS applications or in the cloud, is impacting both the eDiscovery and GRC markets. X1 is leveraging its large, global customer base to deliver next-generation data actionability, thereby quickly and cost-effectively addressing Global 1000 firms’ most pressing data challenges. George Kadifa, former head of HP software stated, “Businesses have been experiencing regulations like GDPR and the California CPA, CFIUS investigations, FCPA and civil/corruption proceedings, all involving digital evidence. “This has created a massive impact on their operations that traditional solutions are unable to address. X1 is uniquely capable of delivering an efficient architecture and workflow that reduces timelines from weeks or months to hours.”

INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT INTERVIEW W/ ANDREW YSASI

ndrew Ysasi has over 20 years of professional experience in records management, including sales, IT, and management roles, leading to ten years of executive management at Kent Records Management, which was acquired earlier this year by Vital Records Control (VRC). He is passionate about helping people and organizations succeed and thrive through mentoring, team development, transparency, hard work, and setting achievable goals. Andrew has the rare ability to explain technical and business matters clearly, while communicating on a personal level, which has elevated him to executive leadership positions in various organizations and associations, and allowed him to conduct business globally. Andrew is a subject matter expert, writer, sought after speaker, and past university instructor. As Vice President of Advocacy at VRC, he is tasked with mentoring, educating, volunteering, and advocating for all matters related to records management and information governance (IG). Andrew and is currently the President of IG GURU® an IG news organization to ensure relevant IG news is shared with the IG community. He is also a guest host on the Inside the Records Room podcast, serves on the i-SIGMA (NAID/PRISM) board, is a contributor to ARMA’s IGBOK, and former Regent for the ICRM. Andrew also owns Admovio, a career coaching business, and his resume makeover work is featured on CIO.com. Andrew holds certifications in IG, project management, information security, information privacy, and records management. Andrew is also a Fellow of Information Privacy with the International Association of Privacy Professionals (IAPP). Andrew has a bachelor’s degree in information technology, a master’s degree in administration, and has completed coursework towards a doctorate in strategic leadership. We caught up with Andrew near his home in Grand Rapids, Michigan. IGW: Where did you grow up and begin your career? AY: I grew up in Grand Rapids, Michigan, USA. Grand Rapids grew up as a furniture town and is now home to breweries, universities, research, and tech companies. The Greater Grand Rapids area is home to about a million

INFOGOVWORLD.COM

residents—Chicago and Detroit are about three-hour drives, and I have been known to make it to Toronto, Canada in six hours! What is your heritage and family background? My ancestors immigrated from Spain, Mexico, Ireland, and Germany in the 1800s and early 1900s. Hard work is in my blood and my parents sent my siblings and me to private schools to prepare us for college Soon after high school, in the late 1990s, I got a job at a computer store and studied computers in college. My career began as a computer repair technician. What experiences did you have early on as an IT person? And what changes in technology Andrew Ysasi and IG have you seen? Early on, I had the pleasure of working with some smart people who weren’t afraid to be called geeks! And I also learned how to deal with customers. The geeks were into cybersecurity, and they quickly fixed computers and networks to pass the time as they honed their security skills. I’ll never forget how passionate they were about technology, and that passion infected me. My boss at my first job and second job were both entrepreneurs, so I learned that we had to work hard to make money and our work mattered to keep clients happy. Also, it felt rewarding fixing issues they had with their computers to get them back up and running. I found that I liked customizing and building personal computers for customers. That business changed quickly when Gateway and Dell came onto the scene. Now and then, I still take a look at how people are customizing their personal computers. I’ve seen a lot of changes in technology, and I still remember the big Y2K scare as the year 2000

PHOTO BY KATIE WILLEY

approached. I remember testing systems to ensure they were Y2K compliant, but I digress.... From decentralization to the cloud, mobile technology, AI, IoT, cryptocurrency, and cybersecurity it is a very different landscape than a simple client-server network I grew with. In the early 2000â&#x20AC;&#x2122;s I had my first exposure to document management systems, eventually Microsoft SharePoint. Most of these applications are cloudbased now although the concept of creating, using, and retaining documents is relatively similar. What has also changed are the governance models and regulations. IT and IG governance models evolved to

help organization address and mitigate fines and loss of consumer faith related to data protection and privacy laws. Cybersecurity continues to be a big issue and has evolved since I read The Cuckooâ&#x20AC;&#x2122;s Egg by Cliff Stoll nearly 15 years ago. Cliff was an astronomer who tracked down a hacker while he worked at the Lawrence Berkeley Lab. I firmly believe cybercrime will continue to be a significant issue to humanity throughout the 21st century. What led you into the world of Information Governance? I was selling and implementing document management software in the mid-2000s and came across a

company that did backfile scanning which partnered with the company I worked with on several projects. We continued to build a relationship, and they approached me for a job to help them run their imaging department and sell their services. I was hired in 2007 by Kent Records Management, Inc. and their leadership team encouraged me to learn as much as I could about records management and eventually IG. The reasons were to: 1) ensure we were keeping up with best practices; and, 2) be a resource for our clients to answer questions they had related to records management and IG. I became a director shortly after being hired and eventually INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT worked my way to Executive Director and Vice President. I spent over ten years at Kent Records, and it was a great experience, and I got to work with some great people. When Kent Records was acquired by Vital Records Control (VRC) late last year, I acted as the area VP for a few months until I had a conversation with the CEO, Danny Palo. He shared his vision for my role. I quickly learned Danny and VRC are serious about the IG community and their clients. We chose the title VP of Advocacy. I’m blessed to be able to mentor people for certifications, specifically the Certified Record Analyst (CRA) and Certified Records Managers (CRM) exams. I also frequently travel around the US conducting IG presentations to local ARMA chapters, at ARMA international, other associations, and universities. What led you to start the IG GURU website? I was at an interesting point in my career early 2018. I was swamped at Kent Records, and my kids were getting older, so they were becoming more active in school, sports, and college. I began keeping articles and news on a website to read later. If I found something interesting, I would share it with a small group of people. As time went on, I realized I had a business model, created a strategy, found some awesome sponsors, and slowly built a community. I then worked with Peter Kurilecz and Mark Wolfe to migrate the RIM Listserv community over to IG GURU. It took time, but we did it, so I’m happy to host the water cooler of the RIM/IG industry through IG GURU. It is convenient to go to one site to find news and what is happening in the IG community across the globe. What are some significant challenges to governing emerging technologies? There are many challenges with emerging technologies. I’ll highlight 68

INFOGOVWORLD.COM

From top: Ysasi family on vacation; a family portrait; and Andrew mentoring a college student at a local coffee shop.

the ones that I feel are most important, such as cybersecurity, lack of talent, and increasing privacy regulation. Cybersecurity continues to be a major topic due to malware, data breaches, and coordinated cyberattacks. After we saw CEOs lose their jobs due to data breaches, cybersecurity is now a mandatory matter board of directors and executives must address. More still needs to be done, but I fear that bad guys are outnumbering the good guys, and most organizations find themselves chasing the next threat before they can get their arms around the previous one. If we are continually chasing down threats, it may be difficult to direct resources to IG efforts, when in fact maybe the best way to reduce overall risk. A lack of technical talent is an issue. Studies by the US government have shown there aren’t enough IT professionals to go around. Further, if immigration laws strengthen, it will be harder to bring in talent from other countries to help fill the need. We certainly need more cybersecurity training programs in the US. Another trend, a positive one, is increasing privacy regulation. This is good for consumers, but puts burdens on developers and technology companies to bake in privacy considerations. As privacy laws pop up by country, state, and region, it will be a challenge for technology companies to adapt and implement changes into

their software and technology. Like cybersecurity, taking away or investing in resources to address privacy matters may either support and overall IG initiative, or bog it down, pulling it too far in one direction. Tell us about your passion for career development and why you are such an ardent supporter? Shortly after graduate school, I started teaching the technology capstone course at Davenport University. After three years of teaching, I began Admovio in 2014 and focused on resume makeovers and career coaching. My resume work is featured on CIO.com, and what is most empowering is the individual gets exposure like they never did before with a new resume that truly showcases their abilities. Seeing someone in IT or any profession take the next step in their career, and knowing I had a little part in that is truly rewarding. Organizations often struggle to find the right person for a job, and if I can help make that connection easier, I’m all for it. I enjoy being positive influence while a person is unemployed or looking to move to a different environment.

TRANSitory RECORDS

LEGAL & ETHICAL RECORDKEEPING CONSIDERATIONS FOR TRANSGENDER REASSIGNMENT INDIVIDUALS BY ILONA KOTI

hat’s in a name—a frequently asked question for many individuals that have undergone/ are considering gender reassignment, or have chosen to not be associated with a gender at all. Yet in order for a transgender* person to legally transition to a new identity, their legal name and/or gender will need to be altered on several types of government and state issued identification documents. However, altering a state-issued birth certificate can be extremely challenging, if not legally permissible under current laws for several US states. While altering a vital record, from a records management perspective, may seem to defeat the purpose of maintaining accurate historical and statistical data, the ethical implications of not revising or amending a birth certificate for a transgender person can in-fact be a matter of life-or-death. LAW & DISORDER–KEY US LAWS SUPPORTING TRANSGENDER INCLUSION While many laws and regulations apply to transgender individuals, particularly at the state/local-level, the following are key pieces of US federal legislation providing support for the transgender population: • US Constitution–Equal Protection Clause-Article 1—Section 9–Clause 8

• Lists transgender status as a potential disability • Title VII-Civil Rights Act of 1964 • Grants transgenders the ability to utilize bathrooms corresponding with their appropriate gender • State’s rights allow for “Bathroom Bills.” It is illegal in North Carolina to use a public bathroom not corresponding with the “biological sex” listed on an individual’s birth certificate; several other states have proposed (not yet passed) similar legislation • Title IX-Civil Rights Act-1964 • Bans discrimination of transgenders in schools receiving federal funding • Family Educational Rights & Privacy Act (FERPA) • Educational records must be kept private. Students can petition a school to change their name and/or gender-marker on school records • Individuals with Disabilities Education Act (IDEA) and Section 504-Rehabilitation Act of 1973 • Some transgender students may qualify for disability status • Health Insurance Portability & Accountability Act (HIPAA) • Medical providers must keep patient records private Each state/local jurisdiction(s) should have additional specific legislation

regarding transgender status and one’s ability to alter birth certificates THE MORE THINGS CHANGE: LOGISTICAL CONSIDERATIONS FOR ALTERING BIRTH CERTIFICATES Although laws may dictate how/what can be changed on a birth certificate, there are several logistical considerations for altering birth certificates in general: • Original vital records (e.g. birth certificates), are also considered historical records providing pertinent statistical data, and are intended to not be altered • Birth certificates that have been changed will typically have the word “amended” displayed on the updated document (e.g. common for adopted individuals) • Many states allow for additional information to be entered on a birth certificate form/application, (e.g. parent’s occupation, ethnicity, etc.) for statistical purposes without actually printing the information on the birth certificate itself • When changing a birth certificate, ideally name/parents/gender, etc. will be changed at the same time to avoid additional costs and/or processing time • A person may wish to change their gender and/or name more than once, and would need to reapply for another birth certificate INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT Rights are not a matter of numbers—and there can be no such thing, in law or in morality, as actions forbidden to an individual, but permitted to a mob. -Ayn Rand THE SUM OF ALL PARTS–KEY STATISTICS In 2013, the US Social Security Administration updated Social Security card requirements to accommodate transgender applicants, primarily due to alarming responses provided by transgender participants in a 2011 US government study, the National Transgender Discrimination Survey (NTDS). The study revealed that transgender individuals experienced an escalated amount of discrimination and physical violence, due to the name and/or gender listed on critical/ vital identification documents not matching existing “social stereotypical expectations” of their chosen gender. The following are key statistics and facts regarding the documentation process relevant to transgender individuals: • Only 135,367 Social Security applicants changed their name to the opposite gender; only 30,006 people have ever changed their gendermarker -New York Times (2015) • 11% of transgenders have their preferred identity and gender-marker on all identity documents and official records, a decrease from 21% in 2011 (NTDS) -US Transgender Survey (2015) • 33% have not been able to update any identity documents (NTDS, 2011) • 33% that used documents not matching their “gender” experienced a negative situation/effect (NTDS, 2011) • 60% of trans people reported experiencing discrimination when applying for a name or gender change (NTDS, 2011) • Surgical requirements for transgenders applying for a birth certificate (and other identification documents) will vary by state; some states will require surgery and/or 70

INFOGOVWORLD.COM

hormone treatments, other states only require a doctor’s note stating that “appropriate clinical treatment for gender transition” was obtained • Tennessee’s Vital Records Act states that, “the sex of an individual shall not be changed on the original certificate of birth as a result of sex change surgery,” despite allowing for: legal name changes, adoption and changes to listed parents on birth certificates; Idaho and Ohio have similar restrictions • In Illinois, felony convictions require a 10-year waiting period before a legal name change can be made; other states only prohibit name changes for specific crimes, e.g. fraud and sexual offenses • Some states (e.g. Michigan), require that fingerprints be included in a name-change petition • California, and other states, may require a background-check prior to approving a name-change request • Several states (e.g. Maryland), require an individual petitioning for a name change, to publicly publish (e.g. in a newspaper) the request consecutively (e.g. three consecutive weeks in Illinois); other states require that an address is also proved and published • Originally initiated to prevent criminals from defrauding others under a new name • Many states require a specified residency period within the state be established, prior to petitioning a name change • Submitted documentation may also need to be notarized The following are key statistics regarding further insights into transgender individuals: • 0.6% of US adults identify as transgender (Williams Institute, 2016) • Current estimated US population is 328.7 million, with 209.1 million adults, thus nearly 1.2 million adult transgender Americans, an increase to 2 million if total US population under age 18 is included • Transgenders are less likely to

report a crime to law-enforcement to avoid providing documentation that may reveal their true identity • 1-in-10 transgender people were physically attacked in the past year; half of all transgender people are survivors of sexual violence (U.S. Transgender Survey, 2015) • The average cost of changing identification documentation ranges upwards of $500 (includes court/ newspaper publication fees/related costs, e.g. travel, etc.). Gender reassignment surgery costs range from $20,000 to $40,000+ • 16 states require sexual reassignment surgery to obtain a birth certificate (Movement Advancement Project [MAP], 2019) • Transgenders are four-times more likely to live under the poverty line; 15% of transgender Americans earn less than $10,000 per year (MAP; and The Center for American Progress, 2015) • The number of murders of transgender women (primarily African American), significantly increases, after their attackers discover their trans-status • In 2018, 29 violence-related transgender deaths were documented • 28% of transgenders that held/ applied for a job were either fired, not hired or denied a promotion because of gender identity; 20% experienced housing discrimination (USTS,2015) • In regard to “Bathroom Bills,” transgender respondents in the USTS (2015) stated that in the past year: • 9% were denied access to a restroom • 58% avoided using a public restroom due to fear of confrontation • 28% limited the amount that they ate or drank to avoid using the restroom • 41% of transgenders attempted suicide vs. 1.6% of the general population (NTDS, 2011) WE COULD ALL USE A LITTLE CHANGE: IMPROVEMENTS IN THE VITAL RECORDKEEPING PROCESS With advances in technology, biometrics and multi-factor identification mechanisms, validating

one’s “identity” has become faster, easier and more cost effective. Yet, technology is only one part of the equilibrium axis—people and process should be open to change as well. For transgender individuals (and others), implementing some changes to existing vital records request processes could greatly improve the outcome for all participating parties. The following are some process improvement considerations when requesting changes to vital records and official identification documents for both records offices and lawmakers: • Offer electronic-filing options to automate the process as much as possible—minimizing required travel, in-person wait-times and reduced inperson contact • Utilize automated processes to send system-generated status updates to applicants and provide timely communication, as processing times can be lengthy • If online processing services are not available, consider offering more comprehensive services at specific location(s) with staff who have received additional training, and are openly willing to assist transgender individuals, in an effort to create a more comfortable experience for both staff and applicants • Evaluate to what extent additional validation of documentation is needed for a transgender individual (e.g. notarized documents). Can publishing a formal name change request in a public newspaper (along with requiring an address) not only potentially “out” the applicant, but also place the applicant at risk, given the high rates of violence and discrimination against transgenders? • Consider waiving first-time filing fees (e.g. Connecticut), where petitioners may request that the court fees be waived due to financial hardship • Update databases and information systems accordingly, to capture additional metadata fields (e.g. updated gender, surrogates, same-sex parents, gender pronouns, etc.) • Provide educational training/training materials to staff regarding transgender related topics, preparing staff ahead of time, rather than have staff ask

applicants potentially inappropriate questions about their gender status/ transition. Enforce discrimination policies accordingly

“

A birth certificate is more than just a vital record to a transgender individual. ”

The right to identify our own existence lies at the heart of one’s humanity -District Judge Carmelo Consuelo Cerezo, THE X FACTOR: ETHICAL & MORAL CONSIDERATIONS FOR EVERYONE Regardless of personal beliefs on transgender individuals, vital records databases and application/alteration processes can be improved as a whole through enhanced automation and data capture. Birth certificates are still based-upon a “traditional” family-status and often omit surrogates, same-sex couples and adoptive parents from being included on the certificate itself. Ideally, vital statistical reporting information would be captured, but allow for an ondemand printing of birth certificates to avoid having an “altered” marker listed on a reissued birth certificate. As information professionals, we are tasked with protecting and preserving the authenticity, integrity and reliability of records on a daily basis; yet with 60% of transgender individuals experiencing discrimination during the application process to alter identification documentation, we seem to be missing the mark on customer satisfaction (and safety). A birth certificate is more than just a vital record to a transgender individual. Officially issued documentation can be life-altering to a trans person, given the high-statistical rates of violence and discrimination against transgenders. As for discrimination, birth certificates were utilized to assist segregating African Americans in the US, who too were once assigned different bathrooms and facilities. Laws and regulations impacting transgender individual’s rights and their ability to alter documentation reflecting their preferred genderstatus, will actively continue into the foreseeable future. Until then, the moral obligation is placed upon us to not view transgender individuals as male or as female, but to see them as human beings, and to treat them with dignity and respect, just as we would for any

other patron when providing records services. *Typically, the term transsexual is associated with someone who has decided to undergo gender reassignment surgery, while the term transgender assumes that one has chosen to change their biological gender with or without a surgical procedure. Due to space limitations, the term transgender/ trans is an overarching term. Respectful consideration was also given to terms such as non-conforming gender, gender-fluid, cisgender, gender markers (she/he/they/hir/ xe/ze), non-binary, deadname, etc. ILONA KOTI, MLS, MS IM, CRM, PMP IS DIRECTOR OF GOVERNANCE PRODUCTS AT MONTANA & ASSOCIATES. ILONA IS A FORMER FOREIGN DIPLOMAT AND AN INTERNATIONALLY RECOGNIZED SUBJECT MATTER EXPERT IN IG WITH 25 YEARS OF EXPERIENCE IN LIBRARIES AND RIM, EXPANDED TO TECHNOLOGY, PRIVACY AND CYBERSECURITY. ILONA IS A CRM AND PROJECT MANAGEMENT PROFESSIONAL (PMP), WITH A MASTERS OF LIBRARY SCIENCE (MLS) AND INFORMATION MANAGEMENT (MS IM) FROM SYRACUSE UNIVERSITY. ILONA IS A TEACHING FELLOW AT THE UNIVERSITY OF DUNDEE IN SCOTLAND AND IS CURRENTLY UNDERGOING DOCTORAL STUDIES IN INFORMATION ASSURANCE AND VISUAL CLASSIFICATION TECHNOLOGIES. SHE IS ALSO A PAST PRESIDENT OF ARMA INTERNATIONAL AND MAY BE REACHED A ILONA.KOTI@MONTANA-ASSOCIATES.COM

INFORMATION GOVERNANCE WORLD

RECORDS & INFORMATION MANAGEMENT

NOT A SIX WEEK PROJECT BY PAULA LEDERMAN

any Information Governance (IG) consulting assignments involve a current state assessment of an IG program and a roadmap to address gaps and shortcomings identified in the assessment, with a goal of creating a fully compliant Information Management Program. The roadmap is usually developed over a 3-5 year timeframe, and often the resulting response from Management is: “Three years is too long, we need visible results in six weeks, or at least six months.” The IG program development process is long and difficult and the results are better and more value driven when this is done over time. WHY DOES IG TAKE SO MUCH TIME? This can be summed up in a few concepts: • Time to develop foundational tools that are easy to use and broadly applicable to the organization and its specific industry • Time to establish business objectives and develop relevant metrics to measure progress • Time to train staff, adjust to the change, create champions • Time to bring on board and season management to the idea of managing information as a corporate asset, which carries with it much value, but also much risk

INFOGOVWORLD.COM

• Time to move corporate information assets (e-documents, presentations, policies, analyses) into controlled repositories in order to create a critical mass where most information assets are ‘managed and accessible’ in the new environment. DEVELOPING FOUNDATIONAL TOOLS Developing foundational tools include developing records and information management (RIM) policies, procedures, roles and governance structures. Some of the tools include functional classifications, taxonomies, and records retention schedules. Depending on keyword searches for access is not good enough. There are too many ambiguities in language, even across a corporation, that a search result with a list of thousands of documents is not productive. A good example is term ‘Environment.’ This could refer to the work environment (ergonomics), the world environment (climate change), or environmental efficiency programs (greening or energy reduction). A taxonomy or functional

classification can both go a long way in providing unambiguous groupings of like objects on a corporate-wide basis. These tools can then provide the basis for eventual use in auto-classification, a form of artificial intelligence (AI) which uses the content of documents and context of words to guess at the classification, with the author or user only confirming the choice and entering an exception. The functional classification can also be used as a tool to define, and, in an automated system implement, records retention periods, thus controlling the growth volume, and the compliant disposal of documents in an orderly, accountable and controlled process. Some organizations see the development of the tools as unnecessary corporate overhead when they are moving their organizations to a more distributed and agile model. However, they do not factor in the value of having all of their distributed business units not only use consistent

terminology, but share knowledge and documents outside of business unit boundaries. This overarching consistency provides a basis for exploiting information as an asset. It removes the burden of developing a schema for organizing and accessing documents from the individual business units, and serves as the glue that brings the information assets into a usable real or virtual whole. Imagine entering a library and having each group of titles organized in a unique arrangement. Ideally, like a library, it should be easy to scan the organization at a macro level, and get consistent, findable, usable results at a micro level, in a structure that is stable over time. STAFF TRAINING AND CHANGE MANAGEMENT Staff training takes effort and time. A fifteen-minute, one time, ‘lunch and learn’ is not enough. The training needs to be targeted to all levels of management, to all document creators and users, and to RIM staff. It needs to be structured in language and terms that are simple. It must be delivered in ways that accommodate staff work schedule and skills. It must be repeated and reviewed to ensure that the message has been understood. Finally, there must be a selected list of champions and ambassadors that are prepared to do a “show and tell” for those who resist or think their own way is better. These are all classic tools of more formal change management theory and the repetition, the follow-up, and review all take time, as does the reinforcement and achieving a comfort level, where it is easier to use to tools than not to use them. MANAGEMENT ROLES It all starts from the top but it must continue at the top to make IG an enduring and successful program. Endorsement at the outset fades very quickly when the reality of implementing an IG program sets in. An implementation strategy that defines a role for top management sets an urgency and value level that will motivate all staff and encourage

buy in. Compliance with IG through adjustments to performance appraisals and sometimes rewards or gamification strategies all contribute to the implementation success. The biggest problem here is that Management often has bigger issues to deal with so the timing and selection of specific initiatives to reach out for Management endorsement has to be selective and highly visible. Tying information management initiatives to other significant corporate events is very often effective. In the same context, and on an extended time line, management must be reminded on an ongoing basis of the risks of not managing information as an asset. Too often we see demand for IG only after a serious problem has occurred involving electronic information assets, and thus the demand for swift action. The identification and recognition of risk, and countermeasures to avoid the consequences of unnecessary risk, is always preferable.

“

Often implementation is based on a day-forward basis, leaving staff to work with one foot in the old world and one in the new world which makes their day-to-day activities more cumbersome, when the new tools should offer more efficiency. So data migration becomes a key implementation step. How are you going to select those records that have ongoing value to migrate into the new system at a maximum rate of volume over time, and a minimum cost? The old-fashioned method of reducing ROT (Redundant, Obsolete or Transitory documents) from those of value is a good start, followed by a strategy where those targets that can be moved forward into the controlled environment happens efficiently and effectively. When the new controlled repositories that can be consistently accessed and whose records become subject to life cycle management will take on exponential value when it hits a “critical mass.” That is, there are more documents and records of value under control

Yes, successful and enduring IG takes time, but build on the small successes along the way and the benefits will become increasingly visible—and valuable. ” LOGICAL CONSOLIDATION OF INFORMATION ASSETS The value of an information asset increases when search and document management tools can be applied across a broader base. Increasing the ability for one search to find all documents, emails, presentations, photographs, and other documents with that one search also including all synonyms and acronyms that are equivalent increase the value of the information asset. Whether the information exists in a single repository or multiple repositories is of no consequence if the information is tagged (metadata) for classification consistently across repositories creates more value for the information asset.

than not. This then becomes a critical success factor for more buy-in and understanding of the value of IG. Yes, successful and enduring IG takes time, but build on the small successes along the way and the benefits will become increasingly visible—and valuable. PAULA LEDERMAN IS AN INFORMATION MANAGEMENT CONSULTANT WITH IMERGE CONSULTING. SHE HAS CONDUCTED NUMEROUS PROJECTS ACROSS THE PUBLIC AND PRIVATE SECTOR AND IS FOCUSED ON MANAGING, ACCESSING, AND PROTECTING INFORMATION THROUGHOUT THE LIFE CYCLE. SHE ALSO TEACHES A CERTIFICATE COURSE IN RECORDS AND INFORMATION MANAGEMENT AT UNIVERSITY OF TORONTO SCHOOL OF CONTINUING STUDIES. SHE CAN BE REACHED AT PAULA.LEDERMAN@IMERGECONSULT.COM

INFORMATION GOVERNANCE WORLD

DATA GOVERNANCE 4 BEST PRACTICES TO KICKSTART A DG PROGRAM BY KASH MEHDI

ata Governance (DG) can be an exciting journey. While no one size fits all, the basic elements to kickstart a DG program are essentially the same. But before we get into the best practices for launching a DG program, let’s take a step back and look into the challenges around data itself. To name a few: • Building and operationalizing a holistic data and analytics strategy • Delivering data with better data quality and proper controls around data privacy and security • Digital Transformation to support the lift and shift of data from the legacy system to the cloud ecosystem. • Maximizing the impact of Business Intelligence (BI) and Master Data Management (MDM) programs • Building a centralized inventory of logical data assets spread across multiple systems and applications • Managing risk exposure on existing data and dealing with data privacy regulations like GDPR, CCPA, etc • Leveraging Al/Machine Learning to drive insights from existing data and drive automation • Capturing the flow of data from the cradle to the grave (what it means, where it comes from, ownership and lifecycle)

The list keeps growing in time and space as 74

INFOGOVWORLD.COM

enterprises’ data universe expands. Inevitably, data has become a new and important dimension for companies going through digital transformation, which also demands a huge push for DG. A common question that gets asked by organizations is: What DG best practices should be considered to help guide a DG program? Here are four key best practices when launching a DG program: 1) Focus on the operating model The operating model is the base for any DG program. It includes activities for defining enterprise roles and responsibilities across the line of business. The idea is to establish an enterprise governance structure. Depending on the type of organization, the governance structure could be: A) Centralized - A central authority manages everything B) Decentralized - Operated by a decentralized or group of authorities C) Federated - Controlled by independent or multiple groups with little or no shared ownership For example, recently, I was working on a DG project with a major insurance provider in New York City. We started initial engagement by interviewing leaders from each line of business such as Finance, Insurance, Sales, and Marketing. In the end, we identified two key representatives, one for the business and one for the technical track. Sometimes these key roles are also referred to as business stewards and technical stewards supporting parallel universes from both a business perspective (owners of data) and information technology perspective (owners of the infrastructure supporting data). Stewards form groups that roll up to the head of business lines, and business lines roll up to the leaders of business and IT. As a DG best practice, my client shared the idea of creating an enterprise DG structure and formed a corporate DG council reporting up to the Chief Data Officer. Note: It is essential to define the realm of ownership across your organization.

Determining authority will help socialize your data governance program and establish an intelligence structure to tackle data programs as one unit of force. Members of the business and IT units from different groups align to a reporting structure often referred to as the DG council or the data stewardship committee. It’s the council or committee where the majority of everyday data decisions are discussed and disseminated across the organization. The DG council ensures formalized ownership and determines the right tools and technologies to support stewards so they can perform their job effectively. Here is a sample diagram showing an enterprise DG organization:

model, the next step is to determine the data domains for each line of business. The most used examples include Customer, Vendor, and Product data domains. Depending on the type of industry, there are different types of data domains. But everything boils down to identifying domains and capturing information about a business and its consumers. Considering the above examples for Customer, Vendor, and Product, each data domain contains a lot of artifacts: (pictured below) Typically, the identification of data domains starts with a business need or problem. T B

Sales HR

Insurance B = Business Steward T = Technical Steward A = Data Architect

B T

A T

Finance Data Governance Council

B T

Information Technology

Marketing

2) Identify data domains After establishing the DG Operating

From a recent client engagement, here is an example of operational

Data Owners

Business Glossary

Data Dictionary

Business Processes

Data Catalogs

Report Catalogs

Data Quality Dashboards

Systems and Applications

Policies and Standards

INFORMATION GOVERNANCE WORLD

DATA GOVERNANCE requirements from a significant Financial Services institution: • Improve customer experience • Control over validating customer needs

“

DG will help us prepare for growing trends in technology such as AI, IoT, and blockchain, and legislative mandates like GDPR, CCPA, and more. ”

• Managing customer usage • Increase upsell on storage billing cycles

Note: DG is about people, processes, and technology. It can be enabled by identifying a DG structure, assigning roles and responsibilities, and managing key information assets through a technology platform for governance. The operational requirements were tied to business problems. The client had to control visibility and understanding around its customers, and data was spread across multiple systems and applications with no defined ownership. As a first step, I was able to help create ownership by identifying key stakeholders, business processes, and datasets related to the customer domain and established controls around its lifecycle. The idea is to have a clear understanding of where data comes from, who owns it, and when changes are made, who should be involved. This allowed us to create end-to-end data lineage. We established a simple rule around reporting metadata “If you can’t tell me where you got the data from, your report is not certified.” The key exercise here was to link business metadata with technical metadata representing the underlying systems and applications. If you can figure out the system to trace one report, the model then becomes scalable. Here is a sample framework around report lineage: (pictured right) 3) Identify critical data elements within the data domains. After defining the data domains, now, we are standing at the pinnacle. From 76

INFOGOVWORLD.COM

here, evidently, we see data domains touching 10s, 100s, and 1000s of systems and applications containing key reports, critical data elements, business processes, and more. Obviously, we don’t want to boil the ocean by focusing on all the data artifacts at once. Instead, we should only identify what’s critical to the business. For example, when working with a federal government agency, their DG initiative was to attain commonality across the enterprise by creating a centralized platform to manage and control changes and providing visibility into critical data assets. A platform to serve as a vibrant ecosystem, fostering collaboration, lifecycle and management, and retaining audit logs for past vs. future analysis. Another example is a technology

company that needed to validate financial reports and related source systems. They started by identifying ten key reports and documenting information about the system origin. Later, the initiative was scaled and called “the report certification” process applies to all reports showing certification and related source system information. A report is not certified if the owners cannot prove its data lineage down the system of origin. This particular exercise around capturing report lineage enabled the organization to automate data cataloging by scanning underlying systems and applications. There are few leaders in the space that you can check out in the market (will get into that in more detail).

Report Catalog 1. Revenue Forecast

Report Catalog Contains reporting metadata, name, description, calculation, projects, workbooks, etc.

Report Attributes 1. Revenue 2. Growth Rate 3. Pricing

Report Attributes Data definitions or attributes that makes up a report. E.g., attributes for Revenue Forecast report

Data Warehouse 1. Customer Revenue 2. Growth Rate 3. Product Price

Data Warehouse Source containing physical metadata containing schemas, tableaus, columns, etc

Source System 1. System A - Revenue 2. System B - Growth Rate 3. System C - Pricing

Source System Source for physical metadata, transformation logic. Data in warehouse could be coming from multiple source systems.

4) Define control measurements Above, we learned about DG structures, the operating model, data domains, and identifying critical data elements. The next step is to set and maintain control to sustain the governance program. After delivering DG solutions across multiple industries, including banking, healthcare, insurance, government, retail, manufacturing, and more, my experience is that DG is not a one-time project. It is an ongoing program to fuel data-driven decision making and create opportunities for business. It prepares an organization to meet business standards. Control measurements include the following key activities: Define automated workflow processes and thresholds for approval, escalation, review, voting, issue management, and more Apply workflow processes to the governance structure, data domains, and critical data elements Develop reporting on the progress of steps 1 through step 4. Crowdsourcing through ratings and review Capture feedback through automated workflow processes + Audit trailing for capturing historical changes (before/after) Documenting policies and standards and linkage to business and technical metadata for risk reporting Documenting data quality rules and creating data quality dashboards and scorecards for review and remediation KASH MEHDI BRINGS DEEP INTERNATIONAL DG EXPERIENCE WORKING WITH CUSTOMERS ACROSS VARIOUS INDUSTRIES, AND CONTINUES TO SUPPORT DG AT HIS CURRENT POSITION AT INFORMATICA. PREVIOUSLY, KASH WORKED AT COLLIBRA WHERE HE LED A GLOBAL ADVISORY TEAM TO DRIVE DG ADOPTION FOR CUSTOMERS. HE ALSO HELD A RESEARCH ROLE AT THE BIOINFORMATICS DIVISION OF UAMS AND DESIGNED AN ONTOLOGY-DRIVEN QUALITY FRAMEWORK SUPPORTING CANCER RESEARCH. HE MAY BE REACHED AT: KXMEHDI@GMAIL.COM

For example, one technology segment company out of California started with DG in early 2010. They began by defining ownership, roles, and responsibilities, defining business data definitions and applying workflow processes to include data stewards in the change management process. In the end, they established a robust DG organization supporting an ongoing program for managing all business data definitions and execution of control processes such as business data definition on-boarding, approval, the collaboration of data stewards, and capturing feedback.

“

The idea is to have a clear understanding of where data comes from, who owns it, and when changes are made, who should be involved. ” There is more to these four data governance best practices than we’ve discussed in summary for kicking off an enterprise DG program. And depending on the industry, there are different approaches. The above steps stand valid for establishing effective overall DG, which is the foundation for better data quality, privacy, security, and maximizing business intelligence and MDM programs. DG will help us prepare for growing trends in technology such as AI, IoT, and blockchain, and legislative mandates like GDPR, CCPA, and more. Governance acts as a toll gate i.e., before any initiative, you want to make sure data has a proper meaning, definition, quality, privacy control, and lineage.

News

PROJECTED DG MARKET GROWTH The Global Data Governance Market is expected to reach $4.1 billion USD by 2025, up from $1.8 billion in 2017, and is projected to grow at a CAGR of 23.4 % during the forecast period of 2018 to 2025. The market report covers a forecast period from 2018 to 2025. The DG Market research report provides a comprehensive study on production capacity, consumption, import and export for all major regions across the globe. The company profiles of all the key players that are dominating the DG market are included. The leading players in DG market are: • • • • • • • • • • • • • • • • •

Adobe Systems, Alation Inc, Ataccama Corporation Data Advantage Group Inc. Datum LLC Denodo Technologies Global Data Excellence, Global IDs IBM Infogix Inc, Magnitude Software Inc., MicroStrategy Incorporated Orchestra Networks, Reltio SAS Teradata TIBCO Software Inc

Data governance is used in various applications including banking and financial services, insurance, retail, government, defense, healthcare and life sciences, manufacturing, telecommunications, energy and utilities, construction, engineering, and others. A sample of this report is available at: https:// databridgemarketresearch.com/ request-a-sample/?dbmr=globaldata-governance-market INFORMATION GOVERNANCE WORLD

CONTENT SERVICES CLOUD CONTENT MANAGEMENT: CLEANUP ON AISLE 4 BY BUD PORTER-ROTH

key question that must be considered once you have purchased a cloud content management (CCM) system: What do you do with the hundreds of gigabytes of content on your file servers? The choices are straightforward; the implementation may be more complex. Option 1: Avoid any legal issues in the future by reviewing your preservation orders, audit/tax holds, and any other potentially new preservation orders. Documents that are subject to a legal preservation order need to be preserved and cannot be deleted until the preservation order is lifted. If you can identify the preservation order owners and the documents subject to the preservation order, request that those documents be identified and properly held. Consult your legal team for how they prefer to retain documents. Your company may have its own approach to locking the documents down. Consult your legal team about this project and bring them in when necessary. Good News: After this exercise you will be familiar with your legal obligations and can use that information to support your efforts for the options listed below. Bad News: If this is new to you, and preservation orders have not been widely used or tracked, this could mean a lot of work. Generally speaking, if you don’t know what is on preservation order, you should not be deleting files. Work with your legal team on this option and ensure you have their guidance and approval prior to getting started with the options below. Option 2: Once the CCM system is up and running and is in use, make the network file shares read-only.

INFOGOVWORLD.COM

This can be for the whole enterprise if the whole enterprise is using the CCM system, or on a department-bydepartment basis. Make the network file shares read-only for one-year and inform the user community. This means that the users can retrieve files and upload them to the CCM system, but they cannot add files to the file share. There should be some research prior to making the file shares read-only to determine if there are any programs or applications that write to the file share. At the end of one year, the file shares get hidden from the users for some period of time (like three years) and after that period of time, deleted completely from all drives and backups. Key: One note to discuss with your IT department is whether the users should “Copy” or “Move” documents to the CCM system. If copied, the document now exists in two places as a duplicate file. If moved, the document is deleted from the file share and moved to the CCM system, and there is no duplicate file. Good News: This is probably the least intrusive for the users and allows them to work normally during the period of transition to the CCM system. Close to the end of the one year period, send out a notice informing the users they have 30 days more to retrieve files before the file shares disappear. Bad News: This means that the full file shares will remain in place for one year and the length of time you choose to archive the file shares. As long as the file shares are archived, they are subject to legal search and holds. Option 3: The third option (instead of Option 2) is to undertake a first-level cleaning of the file shares. This can be done while users are working in the file shares, but they should be given notice of the intended cleaning project

and its duration. The first level cleaning is to look at what is called ROT—redundant, obsolete, and trivial documents that no longer have business value and can be deleted from the file shares. (There many articles on the subject of ROT if you are not familiar with the term.) Using a file analytics tool, such as Active Navigation, Haystac, TreeSize, or ZLTech, or TreeSize, IT or the user can search the file shares for, for example, duplicate files, to identify them and delete them. Note that with best records management practices in mind, only an original document is a record and duplicates (or versions) of that document are not records and can be safely deleted. A file analysis tool can also show you the age of a set documents in a file share. For example, if your Accounts Payable (A/P) documents can be deleted after seven years, search your AP file share directory for documents over seven years old and delete those documents on the list. You may delete the documents “programmatically” with the file analytics software or have the software produce an Excel spreadsheet of the documents, provide that list to the user, and have the user approve and sign off on the list. The list goes back to the IT department which then deletes the documents. This exercise can be repeated for each department. (BTW, this can also be implemented manually with the users reviewing the retention schedule for their departments and finding and deleting the appropriate documents.) Good News: The good news is that if done some degree of diligence (and bravery), you may be deleting up to, or over, 50% of your file shares. Most studies in the industry indicate that on average 50% or more of all documents in a company are included in a ROT clean up exercise. This, by itself, will be a huge benefit to the company and improve the productivity of all users by reducing the clutter they must search through to find what they need. Bad News: This is a difficult exercise

to make happen throughout the company. Many users will protect their documents and claim that they are needed for future work and reference, even if the file has not been opened in the past five years! Also, many users, having “real” work to do, will not be very diligent and will be willing to allow the documents to be uploaded to the new system with the idea that they will take care of deleting them at a later date. Based on realworld experience, this will not happen. Option 4: The fourth option is to build on the third option. While the third option may have identified 50% of your content that can be deleted, there may be another 20% (or more) of the files shares that can be deleted. To do this, the users are asked to review the remaining documents that were not caught in the Option 3 net and to determine whether these documents can also be deleted. These documents may be, for example, project documents from an earlier project that was completed or canceled, and they no longer have any business value. There could be spreadsheets of analysis, presentations, papers, and variety of other content types like photographs, HTML pages, etc. that supported the project. Because the user is now looking at a reduced set of documents (~50% fewer), it will be easier for the user to identify, isolate, and delete documents that no longer have business value. At the end of Option 4, the file shares should be very clean and up-to-date and ready to be migrated to the CCM system. Good News: Instead of migrating 100 gigabytes, 75% of which could be ROT, you are only migrating a small set of documents that have business value to the user. This will also enhance search and user productivity in new system. Bad News: This can be a long process, and again, users will withhold their documents without a good business justification. With the proper change management communications, the users will be more agreeable to deleting

“

Many users will protect their documents and claim that they are needed for future work and reference, even if the file has not been opened in the past five years! ” documents if they understand the value of a small document set. In summary, this is a brief tutorial on how you may go about deleting documents from a file share and moving the remaining documents to a CCM system. These are broad ideas, but you should be able to capture the essence of the idea and make it more directly relevant to your unique situation and company. Each company will approach the deletion of files differently, but there has to be some logic, intelligence, and agreement to the overall process. One final note is to remember that each user tasked with the above work also has their “real” job to do, and this real job is what they get evaluated on and paid for. Users do get cranky when they are tasked with what they consider non-work or corporate mandated work that takes away from their normal work. Be aware of this and by all means, try to make the work less onerous by having a winner for the most files deleted, acknowledge them with prizes (e.g. $10 Starbucks card) or mock trophies/ribbons they can hang in the cubicles, pizza lunch and learn days, and perhaps dedicated time, every Friday from “Lunch to Quittin’ Time,” for the user to do this type of work. BUD PORTER-ROTH HAS BEEN AN INDEPENDENT CONSULTANT FOR 20 YEARS AND IS FOUNDER AND PRINCIPAL CONSULTANT FOR PORTER-ROTH ASSOCIATES (PRA), WHICH PROVIDES A BROAD RANGE OF CONSULTING SERVICES TO USERS AND VENDORS OF ECM TECHNOLOGIES. HE IS A FREQUENT SPEAKER AND WRITER AND CAN BE REACHED AT BUDPR@ERMS.COM

INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE TRADE SHOWS & CONFERENCES Nashville

ARMA INFOCON

October 21-23 (Nashville) ARMA InfoCon is the premiere event for records and information management professionals to learn and share industry best practices. Information Governance providers and key corporate stakeholders will get in-depth, groundbreaking educational content for the full information lifecycle. This year’s conference is being held at the Gaylord Opryland Resort and Convention Center. It will feature several workshops including Advanced Technologies, Information Management Fundamentals, Information Projects and Risk Reduction. INFOCON 2019 is a 3-day event which features non-stop presentations on current and timely topics. Presentation titles include: Cloud Risk and IG: What you need to Know, Cyberattacks and IG Today – You Be the Judge, Coping with Orphaned Information Assets, Panning for IG Gold, File Analysis 101, Tidying Up Share Drives: How Charter Communications Addressed the Challenge, Blockchain Technology: Using Smart Contracts and Developing Measurable Metrics for Information Governance. https://www.arma.org/events/EventDetails. aspx?id=1166128&group= What to do in Nashville Nashville is home to many music legends and the places they made famous. The “Grand Ole Opry” stage is definitely something to see. The Country Music Hall of Fame and Museum and historic Ryman 80

INFOGOVWORLD.COM

Auditorium are in downtown Nashville, as is the “District” which features honkytonks with live music and the Johnny Cash Museum. The musical spirit lives on in local musicians and headliner talents who perform in venues around the city. Nashville is located on the Mississippi River and there are paddle wheel steamers which offer lunch and dinner cruises. Site seeing opportunities include the Belle Meade Plantation and Andrew Jackson’s Hermitage. Tennessee is famous for its whiskey. There are many local varieties to sample and tour buses will take you to the Jack Daniels distillery. https://traveladdicts.net/things-to-do-innashville-tennessee/

Arizona

ASSOCIATION OF CORPORATE COUNSEL (ACC) ANNUAL MEETING October 27-30, 2019 (Phoenix) The ACC’s Annual Meeting provides In-Housel Counsel with the chance to connect, network and learn from their peers. Trevor Faure, former Global General Counsel of Ernst & Young is

the keynote speaker. He will discuss Smarter Law: From Emotional to Artificial Intelligence, Transforming Busy Lawyers into Business Leaders. The meeting features over thirty presentations from practicing professionals including: Best Practices in Legal Operations using the Legal Operations Maturity Model, 67 Legal AI Solutions is 67 Minutes, AI, Innovation and Predictability in eDiscovery, Lessons learned from the Fortune 500, Implementing and Effective Compliance Program, eDiscovery in the Age of Emerging Applications, Preventing Employees from Hoarding Documents, Managing Spend and Showing Value. https://www2.acc.com/ education/am2019/?acc_ source=EducationEventsPage&acc_ campaign=Am2019 What to do in Phoenix Phoenix is known for its year-round sun and warm temperatures. In October, the average temperature ranges between 65 at night and 85 during the day, perfect weather for those folks wanting one last taste of summer before returning to the cold winters of the northeast and Midwest. Camelback Mountain is a great place to go hiking. It is an iconic peak which offers spectacular views of Phoenix and the surround valley. The surround desert is an arid landscape best seen from Hot Air Balloons. Riverview Park has excellent walking trails and access to the Arizona State University Campus. The Pointe Hilton Tapatio Cliffs Resort has wonderful cuisine. Its location at the top of a mountain provides awe inspiring views which complement the dining experience. No description of Phoenix activities would be complete without mentioning the myriad golf courses, many designed by famous players including Jack Nicholas. For the adventurous with the time for a side, the Goldfield Ghost Town is a glimpse into the 1890s western era. Activities include gold-mine tours, Old West gunfights, a history museum & more. https://www.visitphoenix.com/things-to-do/

IG WORLD MAGAZINE IG & INFONOMICS SUMMIT

Dec 4, 2019 (San Francisco) IG World Magazine is holding our third IG

Alcatraz

& Infonomics Summit on Wednesday, Dec. 4 in San Francisco to educate C-level executives and IG leaders on how to leverage information value.The Summit will be held at the elegant, award-winning The Marker Hotel in San Francisco. Presenters include Rich Kessler (KPMG LLP), Eli Zukovsky (Haystac), Neil Calvert (LINQ) with a special appearance by Doug Laney, the author of Infonomics, How to Monetize, Manage, and Measure Information as an Asset for Competitive Advantage. Attendees will participate in exercises designed to engender real world understanding of how Information Governance can be used to monetize information value using the principles of Infonomics. To request an invitation, email events@infogovworld.com or submit your request at https://infogovworld.com/ sfo-event-registration/ What to do in San Francisco San Francisco is one of California’s most storied cities. The Cable Car system is a great way to get around. Fisherman’s Wharf offers many wonderful culinary experiences. For the adventurous eater, Chinatown’s eateries are a source of exotic menus. There are street vendors and many small shops that serve excellent gastronomic fare with spicy tastes that can only be found in San Francisco. Alcatraz, a former prison, is now a National Park and one of the city’s most popular attractions. The Golden Gate Bridge is 1.7 miles across, so its about a 35 minute walk each way. Lombard Street, located on Russian Hill between Hyde and Leavenworth Streets has eight sharp turns which are said to make it the most crooked street in the world. www.sftravel.com

LEGALWEEK

February 3–7, 2020 (New York) Legalweek is where legal business gets done. In February, 2020 thousands of legal professionals will assemble to learn about new technology and share lessons they have learned in the past year. According to the website, each company that participates will garner 142 leads. Attendance at last year’s standing room only record-breaking keynote topped 1,400 individuals out of 8,000 registered attendees. This year’s event will feature over 300 high level speakers from 36 countries. Last year, 36% of the attendees were first timers and 54% had attended for 3 years or more. This year’s registration already tops 9,000 individuals whose job titles include inhouse counsel, Law Firm Partners and other Legal Professionals. Last year, 83% of attendees said they learned about key solutions they could implement immediately. This year, you have a chance to experience the excitement of solving problems in real-time. Will you be there? https://www.event.law.com/legalweek

Reunion Tower, Dallas, Texas

AIIM CONFERENCE

March 3-5, 2020 (Dallas) This year’s AIIM Conference theme is “Intelligent Information Professions.” The conference will provide attendees with the opportunity to learn new strategies and skills for combating information chaos. Attendance is projected to exceed 600 individuals from over 29 countries. AIIM’s focus continues to be the “digital transformation journey”. This digital transformation can be viewed as a journey

which enhances customer experiences, business agility and automated compliance. The mile markers along the way will be Content, Process and Analytic Services. The conference features over 150 educational session, facilitated by talented thought leaders from a variety of industries and organizations. There will be many opportunities for networking. Fellow AIIM Tribe members will welcome your participation and work hard to answer your questions and make your feel like you want to come back again for more. https://aiimconference.com/ What to do in Dallas Dallas is located in the northern part of Texas, just a few miles east of Fort Worth. In fact, the two Cites are so close that they metropolitan region is often referred to as Dallas-Fort Worth. Sadly, Dallas is infamous for being the city in which John F. Kennedy was assassinated by Lee Harvey Oswald. As such, it is no surprise that tours of the Sixth Floor Museum/Texas School Book Depository building are available on a daily basis. However, Dallas is a vibrant city which offers many less heart-rending tourist activities. The Perot Museum of Nature and Science has wonderful dinosaur fossils on display. The Perot Museum also has 11 permanent exhibit halls that contain state of the art video and computer animations with awesome, life-like simulations, educational games and interactive kiosks. The White Rock Lake Park is popular and especially beloved because it offers a natural area with plenty of wildlife right in the middle of an urban setting. Reunion Tower soars to the dizzy height of 561 feet, making it the city’s 15th tallest building. Texas is well known for its cattle drives and there is a sculpture commemorating this in Pioneer Plaza which is the city’s largest public park area, and a very popular tourist site. The Bishop Art District offers an alternative to the rough and tumble cowboy lifestyle. Visitors to the Art District can take a walk, have a meal and enjoy a variety of multi-cultural artwork. The district features over 60 restaurants, bars, coffees shops and boutiques, as well as out of the ordinary art galleries. https://www.thecrazytourist.com/25-bestthings-to-do-in-dallas-tx/ INFORMATION GOVERNANCE WORLD

INFORMATION GOVERNANCE EVENTS

Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct Oct

5 8-11 14-16 14-17 16-17 16 -18 18 20-23 21-23 23-24 24 27-30 29-30 30

WiE SoCAL Tech Conference (Irvine) RIMPA Live 35th Annual Convention (Melbourne) GICLI Gov Investigations & Civil Litigation Institute’s 5th Annual Meeting (Lake Tahoe) DGPO Data Architecture Summit (Chicago) NDSA Digital Preservation (Tampa) EDI Electronic Discovery Institute 9th Annual Leadership Summit (Lake Tahoe) SANs 2019 Cloud Security Brief (Seattle) Relativity Fest eDiscovery community including WiE (Chicago) ARMA Live! (Nashville) DAA 2019 ONE Conference (Chicago) The Sedona Conference Working Group 1 Annual Meeting (St. Louis) ACC (Association of Corporate Counsel) Annual Meeting (Phoenix) IAPP ANZ Summit (Sydney) IRMS North Autumn Event 2019 (Manchester)

Nov Nov Nov Nov Nov Nov Nov Nov Nov Nov Nov Nov

5 5-6 10-15 13 13 13-14 15 19 19-20 18 20-21 20-21

InfoGov World Media - IG & Infonomics Summit (New York) Forrester 2019 Data Strategies & Insights Forum (Austin) TDWI Conference (Orlando) AIIM Leadership Council Summit (London) ILTA (International Legal Tech Association) ILTACon Europe (London) CFO Alliance CFO Live (New York) SANS Dark Web Briefing (Boston) Sedona Conference on Global Aspects of Patent Litigation (Kildare, Ireland) IIA New Zealand Annual Conference (Wellington, New Zealand) ISSA Show North America (Las Vegas) ISACA InfoSecurity North American Expo and Conference (New York) IAPP Europe Data Protection Congress (Brussels)

Dec Dec Dec Dec Dec Dec Dec

4 4 2-5 2-6 9-10 9-12 12-19

InfoGov World Media - IG & Infonomics Summit (San Francisco) 5th Annual National eDiscovery Day Black Hat Europe 2019 (London) DGPO Data Governance Winter Conference (Delray Beach, FL) HIMSS Healthcare Security Forum (Boston) DG Vision – Data Governance & Stewardship (Washington DC) SANS Cyber Defense Initiative 2019 (Washington DC)

Jan 31

ARMA LegalTech, Innovative Information Governance Education Track (New York)

Feb Feb Feb Feb Feb

Legalweek (New York) The Sedona Conference Working Group 6 Annual Meeting (New York) IAPP Data Protection Intensive 2020 (Paris) Gartner CIO Leadership Forum (Phoenix) RSA Conference 2020 (San Francisco)

4-6 10 12-13 23-25 24-28

Mar 3 Mar 9-13

AIIM Conference 2020 (Dallas) HIMSS 2020 (Orlando)

Mar Mar Mar Mar

IAPP Data Protection Intensive UK 2020 (London) The Sedona Conference Working Group 11 Annual Meeting (Denver) Enterprise Data World (San Diego) Gartner CIO Leadership Forum (Hollywood, FL)

11-12 18 22-27 30

INFOGOVWORLD.COM

Note: events highlighted in yellow have write ups in Trade Show Section

Information Governance &

Infonomic$ Summit The path to leveraging information value: From Information Governance to Infonomics

When: November 5, 8am-5pm Reception & Book Signing 5pm-6pm

Where: Michelangelo Hotel, New York City Who is Invited: C-level Executives & IG Leaders

The Michelangelo Hotel

Special Appearance by Doug Laney, author of Infonomics

Information Governance features major contribution s from these leading experts the field: in Barclay Blair Charmaine Brooks Dr. Patricia Franks Doug Laney Andrew Ysasi

Baird Brueseke Monica Crocker Randolph Kahn, Esq. Darra

Hoffman INFORMATION Bassam Zarkout GOVERNANCE WORLD

PRACTICES

Second Edition

TS, STRATEGIES AND BEST

INFORMATION GOVERNANCE CONCEPTS, STRATEGIES AND BEST PRACTICES

Shutterstock

Subscribe to our free Finance and Investing eNewsletter at wiley.com/enewsle tters

$95.00 USA / $114.00

CAN

Neil Calvert, CEO, Linq Infonomics Solutions

Second Edition

Visit wileyfinance.com

Robert F. Smallwood

with leading experts

Peter Baumann, CEO, Active Navigation

The revised and updated Second Edition of Information Governance offers an important guide that reviews the basic concepts of IG, defines what it is (and what it is not), explains how to justify and implement an IG program, and explores ways to secure and control information while maximizing its value using infonomics principles. The discipline of IG covers a range of components: privacy, cybersecurity, e-discovery and law, records managemen t, compliance, information technology, risk management, business operations, and more. Filled with illustrative examples and written in clear language, Information Governance addresses the many aspects of IG with actionable strategies and proven best practices. Written by a noted expert in the field with contributions from a number of industry pioneers and experts, Information Governance explains how to plan and manage a cohesive and (continued on back flap)

MEDIA SPONSOR

Robert Smallwood, Institute for Information Governance

Smallwood

INFORMATION GOVERNANC E CONCEP

Pr ove n a n d e m e r ging strategies fo r i m p l e m e n t i n g infor mat ion gove rnanc e progr ams u s i n g b e s t p r ac t ices

Richard Kessler, KPMG

TRUST MATTERS Our 50+ attorney Privacy & Cybersecurity team offers practical advice in the areas of cybersecurity and digital asset management: • California Consumer Privacy Act Compliance • Data Mapping, Classification & Risk Analysis • Incident Response, Simulation and Preparation

• Privacy & Security Policies and Procedures • Responses to Consumers, Regulators & Litigation • Cyber & Privacy Diligence in Acquisitions and Investment

HOW CAN WE HELP YOU? CONTACT: Justine Phillips Partner, San Diego tel: 619.338.6619 jphillips@sheppardmullin.com

Privacy & Cybersecurity Recognitions: • Law360 – Team ranked “Cybersecurity & Privacy Practice Group of the Year” • Forbes – Cybersecurity / Data Privacy listed as “Most Recommended Practice Area” in America’s Top Trusted Corporate Law Firms list • The Legal 500 – US team ranked for Cyber Law in the USA and EU Data Protection team ranked for EU Regulatory: Privacy and Data Protection www.sheppardmullin.com