IG World Vol 2 * Issue 2 - Spring 2020

Page 1




















LINQ brings infonomics to life.

LINQ enables businesses to learn the true business value of their information, and evaluate the impact of changes to the data, systems, and processes to maximize business value.


Information Governance & Infonomic$ Summit

A 3 —D Experience Virtual Event Thursday, April 23rd, 9am to 3pm (Eastern) Virtual Networking Session, 3pm to 4pm Virtual Reality Controls Orientation (for first time users) 8am to 9am

$95.00 Sign up now at https://infogovworld.com/virtual-event-registration-april-23/ or email us at events@infogovworld.com with inquiries about the event

Special Appearance by Doug Laney, author of Infonomics

Richard Kessler, KPMG

Neil Calvert, CEO, LINQ Infonomics Solutions

Robert Smallwood, Institute for Information Governance



www.infogovworld.com (888) 325-5914 2538 University Ave. # 488, San Diego CA 92104 MEDIA SPONSOR




infogovworld.com VOLUME #2 ISSUE #6 SPRING 2020







Robert Smallwood





Baird Brueseke











Mark Driskill, Martin Keen, Dan O’Brien CONTRIBUTING WRITERS

Check us out online and sign up today for a free digital subscription to Information Governance World magazine.


subscribe.infogovworld.com 4


Scott Allbert, Dr. Robert L. Bailey, Scott Burt, Susan Bennett, Baird Brueseke, Doug Laney, Ronald Van Loon, Tim Patrick, Robert Smallwood, Scott Taylor, Andrew Ysasi CONTRIBUTING PHOTOGRAPHERS

Scott Allbert, Baird Brueseke, Jessica Lindsay Deanna Sapp-Phillips, Robert Smallwood SPECIAL THANKS TO INTERVIEWEES:

Michael Quartararo, Teresa Schoch, Chris Surdak

2358 University Ave # 488, San Diego, CA 92104

infogovworld.com 1.888.325.5914




Robert Smallwood CEO & Publisher


THESE ARE CHALLENGING TIMES, and during times like these those who embrace change and lead with authority will be winners and those who do not adapt will be left behind. The current coronavirus pandemic is having an impact on most all sectors of the global economy, and changing the way we are going to be able to plan and hold major events. We saw the AIIM Conference held at the beginning of March, just before the panic hit. The attendance numbers were down about 20%, but that was to be expected. Then, the following week, ARMA Metro New York and nearby chapters held their annual Spring conference, defiantly, with about 60% of the usual attendance. I was to attend but decided to make my presentation remotely, due to health concerns. The very next week, NYC was shut down. Then came news that the annual IAPP conference, which was expecting over 5000 attendees, was cancelled, and the annual MER Conference, slated for early May, has gone digital for the first time. These times, they are a changin’. So we at IG World have made the bold decision to hold our series of IG Summit events not only digitally and remotely, but using a 3D Virtual Reality (VR) meeting approach. This is the next big thing. Just look at the recent car race that was held where NASCAR drivers raced and slammed into each other in VR, and major rugby games were held in VR to keep fans engaged. Why VR? Because it gives you a sense of community and belonging to be in a room with others, even if it is a virtual room. Plus, it’s fun! The software allows you to greet a colleague and virtually “shake hands” and after a presentation you (your avatar) can clap, cheer, or even dance. Then during lunch you can teleport to the beach to socialize. So all sorts of things are possible. We’re bringing you another great issue, filled with outstanding content from IG leaders. Our cover story is on the life and career of noted privacy attorney Teresa Schoch, who has family on both sides of the pond, and enjoys travel. We feature timely articles on the coronavirus from infonomics maven Doug Laney; and also Dr. Robert Bailey who resides in Singapore and lived through the SARS epidemic; as well as Andrew Ysasi on what IG pros should know about the pandemic. ACEDS’ new leader, Mike Quartararo, talks about IG and eDiscovery, and his vision for ACEDS. Scott Taylor, a/k/a “The Data Whisperer” discusses how to tell data stories using his “3Vs.” Ronald van Loon discusses new data governance tools for privacy compliance and IG World’s Baird Brueseke explains the new NIST privacy framework. InfoGov ANZ’s Susan Bennett offers insights into IG strategic frameworks from down under; and we talk with Gartner’s Chris Surdak about digital transformation, (and his unique, but ancient hobby). Integro CEO Scott Burt reveals important insights on organizational content journeys, and Scott Allbert writes about Project Cortex, a major new initiative by Microsoft. So this issue is again packed with rich content on current topics to provide continuing education and to help you succeed in your IG programs. Happy reading!

Please send your comments, suggestions, and story ideas to me at Robert@infogovworld.com INFORMATION GOVERNANCE WORLD



ON THE COVER: Teresa Schoch, JD. Photo by www.PhotoAnnounceIt.com

INFORMATION GOVERNANCE IN SOCIETY 8 IG World’s IG & Infonomic$ Summit in New York & San Francisco and AIIM2020 Conference INFORMATION GOVERNANCE BEST PRACTICES 10 From Rocket Man to Bird Man: The Worlds of Christopher Surdak 12 Optimizing the Lifeblood of Organizations by Susan Bennett 17 ARMA IG Survey Falls Short 18 Covit-19 Is Teaching Us “What It Means To Be Humans” by Isacc Issah Armstrong 19 What IG Pros Need to Know About the Coronavirus Outbreak by Andrew Ysasi INFORMATION PRIVACY 20 Real Time Data Governance: New Tool Facilitates Privacy Compliance by Ronald Van Loon 23 NEWS: BigID Starts 2020 with $50 Million in New Funding Data Protection Market to Grow $120 Billion By 2023 24 New Global Privacy Standard Established by Andrew Ysasi INFORMATION SECURITY 26 Privacy is Cybersecurity for People by Tim Patrick 28 NIST Privacy Framework Sets New Standards for Cyber-Insurance by Baird Brueseke 30 First SoCal PrivacyOC Event Held by Scott Allbert COVER STORY 32 The Power of Privacy: An Interview with Privacy Attorney Teresa Schoch ANALYTICS & INFONOMICS 40 Data is Your Best Defense Against a Coronavirus Downturn by Doug Laney LEGAL & EDISCOVERY 42 A Conversation with ACEDS’ Michael Quartararo 46 NEWS: Law Firm Launches Free E-Discovery App 47 NEWS: The Sedona Conference Updates eDiscovery Glossary RECORDS & INFORMATION MANAGEMENT 48 New Coronavirus Outbreak by Dr. Robert L. Bailey 51 NEWS: NARA Following Through on White House Directive to go Paperless DATA GOVERNANCE 52 Use the 3Vs to Tell Your Data Story: Vocabulary, Voice and Vision by Scott Taylor CONTENT SERVICES 56 A Content Journey Every Enterprise Should be Thinking About By Scott Burt




NEWS: New 2020 Customers’ Choice for Content Services Platforms by Gartner

EMERGING TECHNOLOGY 58 Is Microsoft’s Project Cortex a Game-Changer? by Scott Allbert 60 NEWS: AI Assisting Doctors with COVID-19 NEWS: Insights into the AI technology Facebook Uses behind Instagram Explore BANKING & FINANCIAL SERVICES 62 NEWS: European Central Bank Considers Digital Currency with Privacy Protections NEWS: New Fintech Book by Devie Mohan 63 NEWS: Fintech Startup Portify raises $9.1M for ‘Gig economy’ App More Regulation to Hit FinTech in 2020? 64 INFORMATION GOVERNANCE TRADE SHOWS 66 INFORMATION GOVERNANCE EVENTS


Information Governance: A PRIMER


ccording to the Sedona Conference, Information Governance (IG) is about minimizing information risks and costs while maximizing information value. This is a compact way to convey the key aims of IG programs. The definition of IG can be distilled further. An even more succinct “elevator pitch” definition of IG is, “security, control, and optimization” of information. This is a short definition that anyone can remember. It is a useful one for communicating the basics of IG to executives. To go into more detail: This definition means that information—particularly confidential, personal, or other sensitive information—is kept secure. It means that your organizational IG processes control who has access to which information, and when. And it means that information that no longer has business value is destroyed and the most valuable information is leveraged to provide new insights and value. In other words, it is optimized.

An even more succinct “elevator pitch” definition of IG is, “security, control, and optimization” of information.”

IG PROGRAMS REQUIRE CROSSFUNCTIONAL COLLABORATION IG involves coordination between data privacy, information security, IT, legal and litigation/e-discovery, risk management, business records management functions, and more. It is a complex, amalgamated discipline, as it is made up of multiple sub-disciplines. IG must be driven from the top down by a strong executive sponsor, with day-today management by an IG Lead, which is a person who could come from one of the major sub-disciplines of IG. The IG lead could come from IT, cyber-security, privacy, RIM, analytics, legal, operations, or related disciplines. THE KEY DIFFERENCES BETWEEN DATA GOVERNANCE & INFORMATION GOVERNANCE Data Governance (DG) and Information Governance (IG) are often confused.

They are distinct disciplines, but DG is a subset of IG, and should be a part of an overall IG program. DG is the most rudimentary level to implement IG, and often DG programs provide the springboard for IG programs. Data governance entails maintaining clean, unique (non-duplicate), structured data (in databases). Structured data is typically about 10%-20% of the total amount of information stored in an organization. DG includes data modeling and data security, and also utilizes data cleansing (or data scrubbing) to strip out corrupted, inaccurate, or extraneous data and deduplication, to eliminate redundant occurrences of data. Data Governance focuses on data quality from the ground up at the lowest or root level, so that subsequent clinical assessments, reports, analyses, and conclusions are based on clean, reliable, trusted data in database tables. THE CHALLENGE: MANAGING UNSTRUCTURED INFORMATION Unstructured information is the vast majority of information that organizations struggle to manage. Unstructured information generally lacks detailed metadata and includes scanned images, email messages, word processing documents, PDF documents, presentation slides, spreadsheets, audio recordings, video files, and the like. Unstructured information is more challenging to manage than structured information in databases, and is the primary focus of IG programs. IG is much more broad and farreaching than DG. IG programs include the overarching policies and processes to optimize and leverage information as an asset across functional silos while keeping it secure and meeting legal and privacy obligations. These IG program aims should always be in alignment with stated organizational business objectives. INFORMATION GOVERNANCE WORLD




IG & Infonomic$ Summit New York November 5, 2019

IG & Infonomic$ Summit San Francisco

January 30, 2020






3. 1. Attendees network at the post-Summit reception and book signing. 2. Doug Laney, Peter Baumann, Rich Kessler, Neil Calvert, and panel moderator Robert Smallwood 3. Crowd enjoying the presentations 4. CBS’ Mary Sherwin, Brooke Seely of ActiveNav, Chely Cruz, Maribel Rivera from ACEDS






1. Glen Day, NVISNx CEO holds his signed copy of “Infonomics” (Laney in background). 2. Mitchell V. Banh of Dodge & Cox with his autographed copy of “Infonomics” with author Doug Laney. 3. Laney, Calvert, Kessler, Day, Smallwood 4. Attendees including Mitch Banh, Robert Cruz of Smarsh, Inc., and others network at the post-Summit reception. 5. Neil Calvert, CEO LINQ, readies himself to speak about digital transformation modeling.

Good Turnout at AIIM2020 Conference Despite COVID-19 Fears March, 2020


AIIM - Association of Intelligent Information Management As I flew into Dallas to attend the AIIM 2020 conference, I began to hear reports about a possible cancellation of the event due to the coronavirus outbreak causing health risks. However, the conference was not cancelled, and the attendance was very good considering the pandemic circumstances. Over 500 information professionals showed up out of the 650 registrants. COVID-19 information was made available through announcements and discussion channels, including the AIIM Events app, complete with an awareness plan, updates, and guidance. Well done, AIIM staff. President Peggy Winton stated how close they came to canceling the entire conference. “There were several long staff discussions on what we should do. We heard about several other industry conferences being cancelled around the country,” Ms. Winton stated. “Several of our big sponsors, including OpenText, had established travel restrictions for their employees. We went through a lot of effort to make the event safe for all sponsors and attendees. This included a ‘no handshake’ policy, medical information available, hand sanitizers everywhere, and constant reminders to wash your hands and be safe.” This was the lucky 13th annual AIIM conference I have attended. In my opinion, this was one of the best—if not the best—of the conferences thus far. The event was packed full of attendees, high-quality speakers, and educational breakouts on important and relevant trends in our Intelligent Information Industry. The Solutions Lounge was packed full of vendors, including Microsoft. Microsoft had a major presence at the conference this year, sharing new information on the new M365 Project Cortex. (See my article on Project Cortex – Page 58) I spoke directly with most of the 33 sponsors. They all expressed pleasure with the value of this year’s conference, including the decision-making and recommendation quality of the booth visitors. Over 50% of the attendees were first timers attending an AIIM Conference. This year’s end users included companies like Allstate, Johnson & Johnson, Walmart, Chevron, Chase Bank, and JP Morgan. Interestingly, 43% of the attendees were related to compliance while 22% were line-of-business users. If you missed this year’s AIIM Conference, you missed a lot. I recommend you prepare to attend next year’s AIIM2021 Conference. I know I will.





1. Education Session 2. Alan Beaney, Greg Kaut & Neal Fischer 3. Chris McNulty, Microsoft 4. Peggy Winton, AIIM President 5. The AIIM Show Floor was busy 6. AIIM Company of Fellows









hristopher Surdak is an industry-recognized expert in Mobility, Social Media and Analytics, Big Data, Information Security, Regulatory Compliance, Artificial Intelligence and Cloud Computing with over 25 years of experience. Chris was literally a rocket scientist - he began his career with Lockheed Martin Astrospace, where he was a spacecraft systems engineer and rocket scientist. Presently he works for Gartner as an Executive Partner, specializing in Digital Transformation. Mr. Surdak holds a Juris Doctor from Taft University, an Executive Masters in Technology Management and a Moore Fellowship from the Wharton School of Business at the University of Pennsylvania, a Master’s Certificate in Information Security from Villanova University



and a BS in Mechanical Engineering from Pennsylvania State University. He is the author of several books, including, The Care and Feeding of BOTS, which is a guide to the use of artificial intelligence, machine learning and robotics in the business world; Jerk: The Digital Transformation Cookbook, which explains the “Disruptor’s Formula” used by companies like Uber, Airbnb, Netflix and Simple Bank; and Data Crush: How the Information Tidal Wave is Driving New Business Opportunities, published by AMACOM Publishing, recipient of GetAbstract’s International Business Book of the Year, 2014. Chris has been named, TechBeacon’s 14 Data Scientists You Should Follow on Twitter, 2019; Top 50 Data Science Influencers for 2018 by Cognilytica; Top 20

Big Data Influencers for 2016 and 2019 by Springboard.com; Information Governance Initiative’s Evangelist of the Year for 2015 and a number of other distinctions. He is also contributing editor and columnist for European Business Review, European Financial Review, China Business Review and HP Matter magazines. He provides talks, guidance and advice to global leaders on a range of technology, policy and business topics, including over 500 public speaking engagements in the last 5 years. We caught up with Chris at his home outside Los Angeles. IGW: Where did you grow up, go to school? CS: I grew up in Big Flats, NY, a small town in upstate with about 5,000 residents. I went to Horseheads High school, then went

to Penn State to study mechanical engineering. After graduating, I went to work for Lockheed Martin Astrospace as a satellite systems engineer. Two years later I went to UPenn for their executive masters in technology management program, and was their youngest-ever graduate. Later, I earned a master’s certificate in cyber security from Villanova and then my JD from Taft Law School. What are some of your fondest childhood memories? Boy Scouts. Winter survival camping and summer camp. Hiking and canoeing in the Adirondacks. Playing in the woods with my dog. How and why did you make the transition from mechanical engineering to cybersecurity? Do you still stay on top of the cybersec space? Accidentally. I was working in collaboration and content management, which led to eDiscovery and compliance, which led to cyber security. What sparked your interest in the Law? And why did you want to pursue a law degree later in your career? Working on customer analytics, predictive analytics and behavioral analytics, and compliance, scared me so much that I went to get my law degree so I could hope to make sense of regulatory implications of Amazon, Google, Apple and Facebook. What sparked your interest in robotic process automation (RPA) and Intelligent Automation? How do you think you can make a difference in that space? Again - It was completely accidental! A colleague of mine who knew of my interest in digital transformation invited me to speak at a Wall Street event for “Robotics in Financial Services.” I had no idea of what RPA was, but I said, “Sure, I’ll come along.”

In five minutes I realized it was all just process engineering and I was totally comfortable in the discussion. What trends do you see emerging in RPA? Success, for a change. Realistic expectations will begin to merge with actual, hands-on experience and some engineering rigor and finally the stuff will start to work. According to Gartner, 5% of companies succeed with RPA at scale. That means it is possible, it is just way, way harder than people have been told. How is RPA going to transform work in the next 5-10 years? Are there any downsides to it? Processes will collapse. We may use the same old, tired, inefficient rules and processes, but they’ll happen way faster. Companies’ information metabolisms will speed up dramatically, which will force them to go through a new wave of reengineering, which is long overdue. Our workforce will be cybernetic: part human part machine, with each worker contributing to their best abilities. Knowledge workers who perform transactional tasks will be eliminated in vast numbers, and will need to up-skill themselves in order to remain relevant, and employed. By 2025, bots will blend into our work and we won’t even notice they’re there. Companies who haven’t figured RPA out in the next 2-3 years will be at a substantial structural disadvantage, not only

from a cost perspective but from a recruiting perspective. Finding people willing to do “bot work” will become increasingly difficult. What is the biggest mistake companies make in evaluating and implementing RPA solutions? Believing the hype. They’re believing that they can buy a bot for $10,000 and it will take two days to deploy, run forever without any support, never fail, and never need changes. People have been sold these “unicorn” bots, but they’re not unicorns, they’re flying zebra unicorns... They simply don’t exist. Who is your favorite author and favorite book, and why? Cosmos, by Carl Sagan. He was the first author of the modern era to make science seem cool. What hobby or special skill do you have that might surprise your colleagues? I have a life-long passion for falconry, which is the training of wild raptors to hunt for you. It’s humanity’s oldest sport. INFORMATION GOVERNANCE WORLD



Optimizing the Lifeblood of Organizations BY SUSAN BENNETT

• Information governance (IG) provides a unified strategic framework for the control, security, optimization and effective use of information. • This article outlines how an overarching IG framework enables alignment of policies, procedures, people and technologies. • When information is effectively governed data will be optimized and associated risks and costs minimized. Data and information are increasingly becoming the lifeblood of organizations. However, the exponential amounts of data being collected by companies and government alike, together with the risks and costs of holding and securing this information, have created a new set of issues for those responsible for organizational governance. A healthy circulatory system increases overall health and improves our ability to function. Likewise, the optimal use of data and information will improve the effectiveness of an organization. This article explains why identifying and coordinating the areas, people and technologies responsible for keeping the lifeblood of your organization in good health is key to effective information governance (IG). IG provides a unified strategic framework for the control, security, optimization and effective use of information. It is an essential part of good corporate governance, assisting organizations to maximize the value of information while minimizing risks and costs by providing a mechanism to align policies and processes, people and technologies across an organization. The IG diagram below shows different areas and activities within an organization responsible for the security, control, optimization and risk management of data and information. There may be more or fewer areas according to the type and size of the organization. The key to implementing an effective information governance framework is to first identify all the areas and professionals responsible to ensure the areas are aligned and can collaborate to deliver on organizational objectives. 12


Susan Bennett. Portrait by Jessica Lindsay

With this in place, policies and processes also need to be aligned across the organization in accordance with overarching organizational strategic goals. With a strong IG framework in place, IG projects can then be prioritized within the purview of the senior executive with overall responsibility for information governance and/or the IG steering committee with the involvement of appropriate cross-function professionals. Projects involving data and technology are planned and executed addressing the needs of business users, technology

and cybersecurity, legal/privacy regulatory compliance, lifecycle management, records compliance and long-term preservation. The InfoGovANZ Elements of Information Governance diagram depicts the alignment and coordination required between different IG areas and activities. This visualization, which can be adjusted as necessary to align with the areas within your organization, provides a clearer understanding of how an overarching IG Framework enables alignment of policies, procedures, people and technologies. INFORMATION GOVERNANCE WORLD



AI & Ethics

Cybersecurity & Info Security

Legal & eDiscovery

Privacy & Data Protection

Content Services

Information & Records Management

• Provides a useful framework for implementing a cohesive and comprehensive IG framework • Helps to prioritize and guide projects that link to information governance • Makes it easy to recognize and adapt to technology trends and best practice IG • Ensures organizations have a strong IG framework that protects them, their employees and the customers they serve. Often organizations focus on only a few elements or areas of the information quagmire. Enhancing the value of data being optimized through the use of technology and data analytics to deliver value and returns directly to the bottom line is a common driver due to the financial benefits. Investment in enhanced cybersecurity to prevent cyberattacks and data breaches has also increased over recent years due to mandatory notification regulatory requirements and more visible cyber-threats. INFOGOVWORLD.COM

Business Intelligence

Risk & Compliance

Data Governance

Each area of IG is like an organ in the body of the organization — each with its purpose, and together they combine to form the life-supporting systems which carry out the organization’s vital functions. Just like the body, the functions of these essential systems overlap, interact and rely on each other to support life. Understanding the interrelationships and dependencies of the system as a whole:


Data Analytics & Infonomics

Information Lifecycle Management

Archiving & Long-term Digital Preservation

However, more than a third of data breaches are caused by human error rather than a technology-based exploit. When phishing attacks are included, about half of data breaches can be attributed to human error. These breaches are entirely preventable but remain a significant risk to organizations. Privacy-by design, security-by-design and privacy impact assessments (PIAs) are core to the best practice of managing personal information. Effective IG can assist organizations to ensure that personal information breach risks, which can be life threatening to an organization, as hemorrhage is to us, are identified and resolved. GETTING TO KNOW THE INFORMATION GOVERNANCE ELEMENTS The Elements of Information Governance diagram is a tool for organizations to use when establishing information governance for the first time or to ensure all aspects of information governance have been included in an existing information governance framework. Information Governance (IG) is front and center and is represented by a digital pine cone, ‘the third eye’ (1). In IG, the pine cone analogy is fitting as it represents the center or navigation starting point of all activities. It demonstrates how a robust IG framework provides the structure and mechanism to enable insights and effective guidance and control.

Six icons surround the IG center — here’s what they represent concerning information governance: The People icon highlights effective IG is impossible without the involvement of the right people. It is situated in the upper left position of center next to elements that demonstrate the important role people play in an organization, both internally and externally. Internally, the people represent the collaboration across organizational silos and the effective innovation with security by design and privacy by design, and importantly the protection and security of information by employees. Externally, people in an organization must protect consumers’ and privacy by ensuring compliance with privacy regulations, act socially responsible and adhere to the ethical use of data.

The elements link to the icons and the IG center in a continuous chain. All of the elements must combine and connect to provide an effective information governance system. This requires the interaction and collaboration of relevant professionals for an organization to have a complete information governance framework. The elements on the top and middle rows to the left reflect people-focused activities, while those to the right are data-focused activities. The elements on the bottom row are information-focused and reflect foundation services. Top Row Cybersecurity & Info Security — cybersecurity focuses on the perimeter, while information security secures the information within the system AI & Ethics — implementing artificial intelligence through an ethical-based process based on a data impact assessment

The Lightbulb icon is located above the IG center just under the top line connection of elements. It denotes new, innovative and impactful and technologies.

Data Analytics & Infonomics — deriving the value of information from data analytics Business Intelligence — the hardware, software, staffing and strategy used to glean intelligence from data

The Dollar Sign icon is in the upper right position from the IG center, parallel to the people icon. It is close to those elements that identify from data optimization (i.e., data analytics), as well as controlling and minimizing costs by reducing risks. The Cog/Gear icon is at the lower right of the IG center near those elements that are largely procedural functions. This icon represents workings and processes of the organization, meaning the data and information being used across the organization and the need for collaboration and alignment with strategic organizational goals. The House icon is directly under the IG center and atop the bottom-line connection of elements. The house icon serves as a reminder that requires a top-down strategic approach built on a strong foundation of clear policies and procedures. The Lock icon is in the lower-left position of the IG center, parallel to the cog/gear icon. Its protective function symbolizes the importance of data and information.

Middle Row Legal & eDiscovery — the identification and retrieval of documents for litigation and ensuring such documents can be readily identified and produced to reduce costs; incorporating the use of AI in eDiscovery Privacy & Data Protection — privacy by design and robust privacy policies as part of the overall governance framework Data Governance — controlling data at the data level and ensuring integrity through appropriate systems and processes Risk & Compliance — a coordinated strategy for managing the organization’s risk and corporate compliance concerning regulatory requirements Bottom Row Content Services — preserving and protecting content; information access, sharing and collaboration Information & Records Management — how information is being managed and the activities to systematically control the creation, distribution, use, maintenance and disposition of information INFORMATION GOVERNANCE WORLD


INFORMATION GOVERNANCE | BEST PRACTICES Information Lifecycle Management — best practices for managing data and information throughout its lifecycle Archiving & Long-term Digital Preservation — storing information in ways that can be readily retrieved many years into the future Summary (I added this word, the meaning/intent of my addition could also be done with a visual break) Taken together, all the icons and elements represent the different interlocking areas and activities that deal with data and information in organizations. A systematic approach to information governance begins with an Information Governance Framework that encompasses policies, procedures, people and technology.

Each area of IG is like an organ in the body of the organization — each with its purpose, and together they combine to form the life-supporting systems which carry out the organization’s vital functions ”

This includes: • Identifying all the areas and technologies within your organization — that is, the IG Elements in your organization; • Putting strategic objectives and priorities in place for managing, controlling and securing the data and information your organization collects, uses and stores; • Implementing measures to protect the organization’s intellectual property; • Complying with regulatory and legal obligations including record-keeping obligations and, in particular changing privacy regulations; • Optimizing the value of information to support the organization’s objectives while managing risks and costs, such as those associated with a data breach and eDiscovery. The key to ensuring the effectiveness of information governance is top-down board and senior executive leadership that supports robust policies and procedures that are aligned across the organization and with overarching organizational goals, which deliver value to the organization. Top-down board leadership setting the overall IG framework is the ‘brain’, leading a data-driven organization with an ethical and privacy culture. The senior executive with overall responsibility for information governance and/or the IG steering committee are the organizational ‘third-eye’. They set IG project priorities, provide guidance and encourage cross-functional collaboration, oversee implementation and review outcomes. Policies, processes, technologies and people all work together to enable efficient data flow including optimization, regulatory compliance and appropriate data and information disposal. When information is effectively governed with data optimized and associated risks and costs minimized, then the overall performance of the business will increase — delivering the benefits of a healthy data and information circulatory system. SUSAN BENNETT IS A LEADING INFORMATION GOVERNANCE EXPERT AND AN INTERNATIONAL PRIVACY LAWYER, BASED IN SYDNEY, AUSTRALIA. SHE ESTABLISHED HER OWN BUSINESS SEVEN YEARS AGO, SIBENCO LEGAL & ADVISORY, AND SUBSEQUENTLY INFORMATION GOVERNANCE ANZ. PRIOR TO THIS, SUSAN SPENT OVER 20 YEARS SPECIALIZING IN LARGE-SCALE COMMERCIAL LITIGATION, INQUIRIES, AND ROYAL COMMISSIONS. SUSAN HOLDS A MASTER OF LAW AND A MASTER OF BUSINESS ADMINISTRATION, AND IS A CERTIFIED INFORMATION PRIVACY PROFESSIONAL (CIPP/E). SHE IS ALSO CHAIR OF THE SEDONA WG6 APAC COMMITTEE AND A FELLOW OF THE GOVERNANCE INSTITUTE OF AUSTRALIA. SUSAN CAN BE CONTACTED AT SUSAN.BENNETT@SIBENCO.COM

REFERENCE (1) Throughout history, the pine cone has been a sacred symbol of human enlightenment, viewed as an eye of higher consciousness — the ancient symbol for the third eye — and non-dualistic thinking. Many believe the third eye is at the geometric center of the brain and a symbolic representation of navigation. The views expressed therein are those of the author and not of Governance Institute of Australia. All views and opinions are provided as general commentary only and should not be relied upon in place of specific accounting, legal or other professional advice.




ARMA IG Survey Falls Short


n March, ARMA International released the results of the first of a planned annual series of IG surveys, “IG Maturity Index Report – 2020,” sponsored by NetGovern, a Montreal-based software company that specializes in email and archiving, which recently added a file analysis tool to its offerings. NetGovern used to be called NetMail, and most of their business originated from supporting email for Novell NetWare. The survey was conducted with the assistance of Mike Osterman of Osterman Research, a respected source which specializes in writing white papers for software vendors. The presentation of the results during a Zoom webinar was executed well, led by ARMA’s Nick Inglis, Executive Director of Content and Programming, and Ann Snyder, Manager of Content Development. But the approach, design, and results of the survey turned out to be self-serving for ARMA and NetGovern, and not the ARMA community or broader IG market. Those on the low-end of the maturity scale are potential sales prospects for NetGovern, and training prospects for ARMA. Essentially, the survey was designed to measure the maturity of items that tie into ARMA’s new and unproven IG Implementation Model. The 2020 report states additional ARMA training classes will be developed, (“ ... forthcoming educational and training materials [from ARMA] will target the seven areas of the IGIM and the elements within each.”) IG World believes the 2021 IG Maturity Index Report could be improved by the adding more questions, and taking an approach which addresses the following issues with the 2020 survey: 1. There was little for the IG community to gain in terms of insights. No questions on who the executive sponsors are in successful IG programs; no questions about major barriers to IG implementation; none on the specific IG subprograms being implemented, and their relative successes; none on the business case for IG programs; no information on data monetization or other tangible benefits derived from IG programs—the answers to these questions would have been helpful to fostering the development of IG programs, and to the IG community as a whole; 2. The largest segment studied – by far – was government. Fully 27.4% of respondents work in government, whereas the next responding segments were Financial Services (10.1%) followed by Legal (7.3%), Manufacturing (6.9%), Utilities (6.8%), and Professional Services (6.5%). So the number of government respondents was three or four times the

number of respondents from key segments of the commercial economy, which presents a skewed view. No data was provided on the location of the respondents, and important factors such as IG programs are required for Australian governmental agencies, and the National Health Service in the UK, were not considered or reported. And important sectors like Healthcare and Pharmaceuticals only made up 3.5% and 2.2% of the respondents; 3. Fully 46.3% of the respondents were organizations with 1000 or less employees. The most active and successful IG programs are in larger organizations that are highly regulated, like those in financial services, utilities, energy, and pharma, so the results are skewed. Of note is that the sponsor, NetGovern, targets small and mid-market companies in marketing efforts. Also, no distinction was made for those with 1000+ employees, that is, companies with 100,000 employees were lumped in with those with 1001 employees. It is clear that these are very different segments, and they should be broken out; 4. The job function of the largest number of respondents was Records Management, at 43.6% (and you could add 11.2% who view their jobs as “Information Management”). Yet, based on previous industry research, the most typical leaders of IG programs are General Counsel, although the Legal function made up only 2.9% of the survey group. The very important area of Privacy was almost ignored, as only .4% of the respondents came from that job function; 5. Vendor responses were collected but excluded. Instead of reporting on the Tech segment, these responses were discarded. Certainly, other software companies are not sales targets for NetGovern, so why analyze them? 6. The results in each category measured followed a basic bell curve, which seems a little suspect when you look at the numbers, as there was little variability. Did the respondents mostly just check the “3” as they were busy at the ARMA conference and wanted to finish quickly? On all but one measure, respondents ranked their IG program a “3” (out of 5) at between 31.1% and 34.6%. The percentage of respondents that ranked their program a “3” was: Authorities 32%; Supports 31.1%; Processes 34.6%; Capabilities 33.6.1%; Structures 32.1%; Infrastructure 32.0%; Steering Committee 28.7%; Overall IG Maturity 31.8%. So ARMA gets an “A” for taking some initiative, but a Con the results of their effort. INFORMATION GOVERNANCE WORLD





umans are social animals but what differentiates us from other animals is being “Humane.” We have higher intelligence than other animals, we are compassionate, and, most importantly, can distinguish good from bad. Being good is to have empathy. Unfortunately, nowadays this trait is missing in our generation. We have become more selfcentered. As an individual, I struggle to understand the original purpose for humanity when I observe the deeply stratified axis on which the human race is evolving – all in the name capitalism. The gory story of a modern society that sprouted on the grounds of love and now uprooting itself through the dominance of calculative and representational thinking of the haves and the have-nots, threatens the very essence of our existence. The competitive and self-preserving nature of humans today is so corrosive to the extent that humans have completely lost the sense of what we truly need – a sense of belongingness, love for all, forgiveness, mercy over judgment, and ‘us’ over ‘me.’ It almost feels like the coronavirus is a warning sign thrown at us by our future selves to remind us to go back to the fundamentals of being humane so that our future is not crumpled into a fragmented frame. And I am so amazed that this pandemic has caused a dramatic shift in human behavior across the globe – for once, we are all acting in unison to protect each other’s lives. If that is not revolutionary, then you tell me what it is. I never imagined in my wildest dreams that there would come a time where a viral infection could alter how we treat each other in the most profound ways: People buying little so other families can have something to survive on, Clinics giving out their supplies to hospitals so more lives can be saved, Banks charging no penalties for defaulting loan repayments, Airlines offering free flight cancellations and full refunds, Competitive pharmaceutical brands coming together to find a way to contain and eradicate the virus, Property owners writing off rent payments for businesses so they can pay their employees, Homeowners waiving rent for tenants who cannot pay, The government financially supporting families that cannot survive due to containment measures,



The homeless being provided shelter and feeding, Governments halting many economic activities so everyone would be safe, Parents staying home to ensure the safety of the entire family. For once, we care about the safety and health of everyone, not just our individual selves. Before, the reverse of these instances was our reality. Children now have the full complement of their parents’ time at home, families are bonding more, and society has gone back to the basics – love. This is a true testament to how challenges can change us. We are going to continue to evolve in unforeseen ways as we stand as one people in pursuit of life. The world is full of complexities and unpredictabilities that have yet to completely surface. Life’s unpredictability will draw the human in us out, and what defines us would now be our will to live and love. If we can treat disasters the same way we treat each other – with urgency and with all the available resources regardless of the state of the economy or budget, then the country and the world at large would be such a beautiful place for us. Mahatma Gandhi said that “The greatness of humanity is not in being human, but in being humane.” We are therefore healthy only to the extent that our ideas are humane. We can all pray to whatever or whomever we have faith in, but just as Abhijit Naskar admonishes, we must keep in mind that: “No god is coming to save you no messiah is coming to save you - all the gods and all the messiahs that can save our world are already here - they are us - each one of us.” Let us live in love and as one, for none of us is strong enough to face the forces of nature. So, in concluding, I would like to borrow the words of Coach Boone in the movie “Remember the Titans” and say: “You listen, and you take a lesson from the dead. If we don’t come together right now on this hallowed ground, we too will be destroyed, just like they were. I don’t care if you like each other or not, but you will respect each other. And maybe…I don’t know, maybe we’ll learn to play this game…” ISAAC ISSAH ARMSTRONG IS A DOCUMENT MANAGEMENT SYSTEM SPECIALIST AT GENENTECH AND MAY BE REACHED AT ISAACARMSTRONG@LIVE.COM

Source: www.boredpanda.com

What IG Pros Need to Know About the Coronavirus Outbreak BY ANDREW YSASI


he coronavirus, which brings on the disease Covid-19, has made its way to the United States. Despite your feelings on whether the virus is something we need to be concerned about, there are some concerns you need to be aware of as it relates to your privacy and rights. Further, how the virus may refer to the organization you work for and the data you use or potentially are responsible for protecting. The Center for Disease Control (CDC) is a federal organization in the United States. The Public Health Service Act put in place in 1944 gives the CDC extensive powers. While they intend to keep citizens aware, safe, and protected from an outbreak, they may have the ability to do so without your privacy concerns in mind. The CDC has a field manual that outlines the powers that the CDC has and the limitations to those powers. Below is an outline of those powers taken directly from the manual: • The protection must fit within the US Constitution and Bill of Rights of individuals • A state’s authority or “police powers” is extensive where many states can examine, treat, and quarantine citizens • The Fourth Amendment protects citizens from unnecessary searches and seizures • The Fifth Amendments prohibits the federal government from depriving any person of life, liberty or property without due process • If the CDC is met with resistance during an investigation, they may need assistance from the state’s attorney general for a court order • The state has inherent authority to impose restrictions on private rights for the sake of public welfare, order, and security Once the state has permission to view the information by law authorities may obtain: • Specimens from hospitals or private labs • Review patient medical records • Administer questionnaires • Implement a variety of controls to prevent reoccurrence • Collect additional data on an ongoing basis • Close a business or restrict activities • Quarantine an exposed person • Vaccinate or administer antibiotics to exposed groups

Now that we understand a bit of the authority and access, let’s talk about your rights during an outbreak. Essentially, the CDC and the state, if they feel you could help stop an epidemic, can basically quarantine you, shut down your organization, and possibly your access to your residence. At this point, your privacy is virtually gone, but it isn’t (shouldn’t be) public (have you seen the New York lawyer who tested positive for the coronavirus having his picture splashed all over TV? The media ran with the story, without concern for personal privacy). So, what can you do to prepare yourself and organization in the event you become wrapped up with the CDC or the state? Check out these tips below, (and no, the below does not constitute legal advice): • Have a backup and restore process of your data. An offline and off-network is preferred by individuals who have trusted access • Review your business continuity plan specifically for a loss of location and key individuals • If you are sick or at high risk for a potential outbreak, have an attorney at the ready • Have a family plan on what to do in the event you or a loved one is unavailable. Such as Power of Attorney documents, spare keys, and potential access to financial accounts • Know that regulatory guidelines such as HIPAA may have exemptions • Talk to local authorities about how their plans could impact your organization • Ask for paperwork, documentation, names, and any information you can gather from authorities • Wash your hands—thoroughly and often, and cough into your elbow, not your hands The coronavirus is not the first global viral outbreak, and it will certainly not be the last. Investing in preparedness is something every individual and organization should do. After all, if one were to become ill with this virus, the only thing that should matter is getting well and preventing others from falling ill. INFORMATION GOVERNANCE WORLD




n the race to be at the top of data analytics, organizations are implementing measures that position them in a favorable spot. The key to extracting the most from your data is to have pertinent data governance policies in place. With the requirement for data governance, it is even better to have real-time governance of data so that analytics flow smoothly without the need for consistently overlooking data. Being an Io-Tahoe partner, I have had the good fortune of being associated with the team that has launched the very first real-time data governance tool on the market. The Smart Streaming Discovery is the latest addition to the Smart Data Discovery platform by Io-Tahoe and gives users the ability to discover and act on a wide range of streaming data. This technology is believed to be the very first of its kind and gives users of Io-Tahoe the chance to discover Personally Identifiable Information (PII) from data in motion. This real-time governance enables an organization to govern data on the move and adhere to the regulatory compliance measures in place. REAL-TIME DISCOVERY OF PII “The innovative capabilities we have announced make Io-Tahoe a leader in the discovery of streaming PII and sensitive data, enabling automated governance. We believe this is a significant shift in the industry from discovering and cataloging static data, to data in motion,” said the Chief Technology and Product Officer at Io-Tahoe, Rohit Mahajan. “Not only will organizations know what data they have and where it is located, but they will also now have the ability to understand what data is sensitive and flag it before it lands in data stores. This real-time insight is invaluable for businesses to proactively manage PII and sensitive data as opposed to discovering such data after it lands in the target data source.” We see frequently data breach scandals in the news from external firms having access to personal data up to leaking information that includes the consumer’s social security number, driver’s license number, credit dispute information, and other personal details. Any organization found guilty of leaking customer data is always taken to task for its involvement in the matter. Such matters are dealt with strictly, and brand rapport can be damaged beyond repair.





INFORMATION PRIVACY USER PROTECTION Considering how organizations have been guilty of using customer data for unethical means, we now have strict regulations in place for protecting the rights of the users involved. There are more refined regulations in place to keep a check on organizations and make sure that user rights are being safeguarded at all costs. Some of the more refined and updated regulations that have come into the market include the CCPA (California Consumer Privacy Act) and the GDPR (General Data Protection Regulation). Considering the emphasis on the security of PII, Io-Tahoe gives its users a chance to proactively manage PII and sensitive data. Organizations can then take the appropriate steps to ensure that all their sensitive data is safeguarded and that no breaches happen. Challenges of Data Compliance and Possible Strategies The growth in data campaigns for organizations means that there are now multiple challenges related to data compliance. These challenges include: 1. Rapid data growth: Organizations now have rapid data growth happening around them. The data around different channels are growing rapidly, and organizations have a flood of data. This data leads to confusion as to where the data is sourced from, and where it is being stored. 2. Legacy Systems: The legacy systems in place within most organizations are not enough for storing data. Organizations are now required to become acquainted with the right systems for future growth. Organizations plan on remaining compliant while keeping legacy data secure. 22


3. Regulations: With so many regulations around them, organizations have a hard time keeping track of laws and regulations. As part of this, it is best to go through different regulations and policies. For starters, the GDPR is the most common regulatory policy nowadays and works in tandem with many other policies. Aware of these challenges, organizations want to know how they can stay compliant. Tips to staying compliant and remaining on the right side of the law include the following: 1. Be Open: You need to start off by telling people what you will be doing with their data. Users should know what is being done with their personal information, so they are on the same page as you. If your customers are aware of your intentions, you have nothing to be concerned about. 2. Have Real-Time Governance: Real-time governance like what is being offered by Io-Tahoe can reduce the hassles surrounding data compliance. Through realtime governance, organizations can identify different issues that might create a larger problem later down the line. 3. Take Extra Care of Personal Data: The personal data that your organization has should be held with extra care. Your customers deserve the best regulatory policies on your end, so you should give them nothing short of the best. Look into their sensitive data and make sure that all of their financial and sensitive personal information is being safeguarded. 4. Uphold Individual Rights: Individual rights should be upheld so that your dedication to customer rights isn’t questioned in the future. Store Information Securely: Your

“Between 2018 and 2023, Gartner estimates that revenue for event stream processing (ESP) platforms will grow 15% a year every year.” According to Gartner, “data loss prevention solutions focus on the discovery, classification, and monitoring of information at rest, in use and in motion, with the objectives to prevent leaks, build oversight and manage data. These DLP functions inherently support compliance with the GDPR (General Data Protection Regulation) through a detailed inventory of where personal data is, how it is used and how to best manage its access and movement.”

data storage methods are extremely important for your cause. If you don’t have a pertinent data storage method in place, you are at risk of being attacked by external hackers. AI/ML can support organizations in remaining compliant and on the right side of the law at all times. The continuous automated data governance enabled by Io-Tahoe as part of their latest release is the result of a combination of AI and ML technology. The automated governance of data, driven by AI, will lead the move towards the future, and ensure that organizations have a more stable look at their data. With this new and innovative AI-driven real-time data governance model, complications in data compliance can be addressed before they become larger issues.




BigID, a leader in privacy-oriented data discovery, intelligence and automation announced that it has raised $50 million in new funding from Tiger Global, less than four months after previously raising a $50M Series C. The new capital will be used to deliver new products in privacy and protection of personal data along with expansion of go-to-market strategies across the globe. With $144 million raised in less than two years, BigID has established itself as a leader in privacy-centric data discovery and intelligence to help enterprises automate privacy compliance activities like data access rights, data sharing management, and consent governance. With the 2020 California Consumer Privacy Act going into effect, and new state and global regulations set to follow, BigID is poised to build on this leadership to help enterprises better know and better protect their most important data crown jewels. “Since starting in 2016, BigID has aimed to rethink how organizations provide data accountability to their customers through more intelligent data accounting,” explained Dimitri Sirota, CEO and co-founder of BigID. “Before BigID, data privacy was largely about policy and process. BigID put data at the center, redefining how enterprises find, manage and protect their most important asset: their customer and employee data. The new funding reflects the success BigID has achieved with customers and partners in a few short years and positions the company to maintain its innovation leadership for years to come.” Some BigID highlights from the past two years include: • 2019 sales growth of 4x over 2018 • $44M raised in 2018 followed by $100M raised in 2019 • Introduced first-of-its-kind identity correlation technology for finding and mapping personal data to any person across any data source • Introduced first data access request fulfillment technology into the privacy market for automating CCPA and GDPR data rights https://www.bigid.co/ privacyautomation • Won the 2018 RSA Innovation Sandbox followed by 17 other awards and commendations for data, privacy and security innovation • Global sales expansion to Europe, Latin America and Asia https://bigid.co/global • Achievement of Microsoft co-sell ready status https://bigid.co/cosell-ready/ • Becoming an SAP Solex global reseller https://bigid.co/sap-solex • Introduced BigID Enterprise, with an expanded set of automations • Strategic investment by Salesforce Ventures https://medium.com/salesforceventures/bigid • Introduced the industry’s first data discovery and intelligence solution for modern data pipelines like Kafka and Kinesis https://www.bigid.co/kafka • Joining the AWS marketplace https://bigid.co/aws About BigID: Based in New York and Tel Aviv, BigID uses advanced machine learning and identity intelligence to help enterprises better protect their customer and employee data at petabyte scale. Using BigID, enterprises can better safeguard and assure the privacy of their most sensitive data, reducing breach risk and enabling compliance with emerging data protection regulations like the EU’s General Data Protection Regulation and California Consumer Privacy Act. BigID has been recognized for its privacy innovation as the 2018 RSA Conference Innovation Sandbox winner, a CB Insights 2018 Cyber Defender, Network Products Guide 2018 IT World Awards “Hot Company of the Year” winner, a 2019 InformationWeek Vendor to Watch, a 2019 Business Insider enterprise vendor “to bet your career on,” and a 2019 World Economic Forum Technology Pioneer. Learn more at http://bigid.com.

DATA PROTECTION MARKET TO GROW $120 BILLION BY 2023 The Data Protection Market is expected to exceed more than $120 Billion by 2023 at a CAGR of 15% in the given forecast period, according to a recent report. The report covers detailed competitive outlook including the market share and company profiles of the key participants operating in the global market. Key players profiled in the report include IBM, HPE, Symantec, CA Technologies, MacAfee, Oracle, Quest Software, Netapp, Veeam and Acronis. Company profile includes assign such as company summary, financial summary, business strategy and planning, SWOT analysis and current developments. Data protection is the process of protecting data and involves the relationship between the collection and dissemination of data and technology, the public perception and expectation of privacy and the political and legal underpinnings surrounding that data. It aims to strike a balance between individual privacy rights while still allowing data to be used for business purposes. The scope of the report includes a detailed study of Data Protection Market with the reasons given for variations in the growth of the industry in certain regions. This report provides: 1) An overview of the global market for Data Protection Market and related technologies. 2) Analyses of global market trends, with data from 2015, estimates for 2016 and 2017, and projections of compound annual growth rates (CAGRs) through 2023. 3) Identifications of new market opportunities and targeted promotional plans for Data Protection Market. 4) Discussion of research and development, and the demand for new products and new applications. 5) Comprehensive company profiles of major players in the industry. The Data Protection Market is segmented on the Basis of Component Type, Vertical Type, Organization Size Type, Deployment Mode Type and Regional Analysis. The full report may be found here, where you may request a sample: https://www.marketresearchengine. com/data-protection-market






s privacy regulations continue to be introduced around the globe, organizations now have an ISO standard they can look to for guidance. In August of 2019, ISO 27701:2019 was published and included the requirements and guidance for establishing, implementing, maintaining, and continually improving a Privacy Information Management System (PIMS). Notably, the standard is linked to the ISO 27000 series that provides guidance on security techniques for keeping information secure. In fact, ISO 27001 conformance is a required prerequisite for ISO 27701 compliance. ISO 27701:2019 can be the foundation for compliance with GDPR, CCPA and other privacy regulations that may emerge. The standard is broken into four parts: The first two parts map to existing ISO standards that fall under the ISO 27000 information security standard. The other two are specific to privacy-related elements. PIMS Requirements Related to ISO 27001:2013 ISO 27001:2013 specifies the requirements for establishing, implementing, and maintaining and continually improving an information security management system (ISMS). Defining the



program, scope, charter, framework, vision, policy, alignment to strategy, team, defined activities, training, and communication are all key elements of a successful ISMS. Additional elements such as benchmarking, mapping data inventories, data flows, performing a risk assessment, incident reports, auditing, regulatory analysis, record retention, vendor management, contractual requirements, data location, Privacy Threshold Analysis (PTA), Privacy Impact Assessments (PIA), and minimum standards for safeguarding information are included in 27701. Beyond that, management review, corrective action, continual improvement, and privacy by design are required.. PIMS Guidance Related to ISO 27002:2013 ISO 27002:2013 is the second major part of ISO 27701:2019. This standard provides the guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls taking into consideration the organization’s information security environments(s). In more everyday language, this part of 27701 gets into the technical elements. Unlike the first part (ISO 27001), technical environments

can vary greatly hence the use of the word guidance versus requirements. Setting up formal information security, security around employees handling data, creating a security team, access controls, incident reporting, information classification, user access, media handling, cryptography, information asset protection, data backup and recovery, logging, and data transfers are some of the elements that should be considered per ISO 27002:2013. Further, integrating privacy by design into the system development lifecycle (SDLC), vendor risk assessments, overall compliance, audits, and reviews of the security system are all included in detail throughout this standard. The standards committee went to great lengths to ensure that existing standards help organizations set the floor when it comes to securing systems that store and process PII. Guidance for PII Controllers The third major part of this standard provides specific guidance for PII controllers. This part and the subsequent parts will likely continue to evolve in future versions of this standard as new risks and technology become evident. Topics such as identifying where PII exists, understanding the lawful collection and processing of PII, understanding and recording consent from individuals,


The standards committee went to great lengths to ensure that existing standards help organizations set the floor when it comes to securing systems that store and process PII.” understanding the relationship between processors and controllers, knowing obligations to data subjects, sharing, accuracy, quality, and a deeper dive in regulatory requirements in this standard give processors ample guidance. When key stakeholders or business sponsors want to know specifics of information privacy, this part shines a light on what has to be done above and beyond, complying with PIMS guidelines as it relates to PII. Guidance for PII Processors The final major part of this standard is for personal data processors.

Understanding the difference between controllers and processors of PII is essential for organizations, for they have specific responsibilities. Data purpose limitation, fairness, transparency, privacy notices, documentation for regulators, vendor management, sharing, managing subcontractors, disclosures to thirdparties, transfers between jurisdictions, marketing, and advertising use, and a myriad of other data privacy elements are expanded upon under this part. In addition to the four major parts, the standard contains guidance that provides the further mapping of other ISO

standards and directly to GDPR. Organizations that have an existing focus on ISO 27001 and ISO 27002 certainly have an advantage if they are pursuing ISO 27701 readiness or certification. ISO 27701 provides organizations the road map to protect PII, but the question is, will organizations invest in ISO 27701 compliance? ANDREW YSASI, MS, FIP, FIIM, CIPM, CIPP, CISM, PMP, CRM, IGP, CIP IS VICE PRESIDENT OF ADVOCACY FOR VRC, AND IS PRESIDENT OF IG GURU® AN IG NEWS ORGANIZATION.




WHY DO COMPANIES NEED CYBERSECURITY? Have you ever heard a company talk about privacy when they are discussing a massive hack and theft of your data? Why is cybersecurity such a buzzword when simple privacy would solve so many issues related to technology? There is daily news about data breaches, companies getting hacked by professionals working for the intelligence community, military, or organized crime. In response, an entire industry of hackers, cybersecurity professionals, and consultants are working to offset this. It is literally a game of Spy vs Spy in the digital world, where sometimes the professionals switch “colors” between Black Hat and White Hat (or even Grey). WHAT DOES CYBERSECURITY PROTECT? Cybersecurity broadly speaking is a set of practices, procedures, and technologies designed to protect digital technology resources. Recently, I had the chance to talk to some professors and researchers in the area of cybersecurity about training and preparation of the “next generation” of “Good Guy” cyber warriors. What struck me as fantastically interesting was the fact that nowhere in the discussion of cybersecurity did the issue of privacy come up. In fact, when I brought up privacy and cybersecurity it seemed laughable to the audience and something beneath consideration. I don’t believe the response was out of any malice or disdain toward individuals, but the simple fact that privacy isn’t seen as part of the practice of cybersecurity by professionals in that field tells us something important. 26


PRIVACY IS FOR PEOPLE To be fair, cybersecurity practitioners say things like, “The quieter you become the more you are able to hear,” and imply that stealth and misdirection are powerful tools in understanding the digital landscape. In that sense, privacy—or stealth, at least—could be seen as a fundamental tool of the professional or experienced cybersecurity expert. But when referring to cybersecurity, we are talking about people who specialize in it for years and years and are paid handsomely for their expertise—to work on corporate systems of high value. And here is where the economics of privacy comes into the picture: The customer or accounts database of a large bank, insurance company, or online retailer has a fairly obvious value to the digital thief; names, addresses, credit card numbers, Social Security numbers, perhaps even medical history, tax information, etc. All that data is valuable on the black market which is a very lucrative criminal business! WHY DON’T PEOPLE HAVE CYBERSECURITY? Have you ever heard of the Tragedy of the Commons? It is a story about how anything without clear ownership rights is likely to be overused by everyone. Think of the open field at the end of your block and how everyone uses it to dump landscaping, walk their dog, and deposit anything unwanted and ask yourself who cleans it up? That’s where your personal data resides right now—in the commons. All of your Smartphone GPS data, web site traffic, smart TV viewing, Alexa, Siri, and Google voice interactions, news consumption, and everything else you do online; it’s all up for grabs. Anyone who can get it can do whatever they want with it. YOUR LIFE IS INTELLECTUAL PROPERTY Now, what is interesting is that as soon as you give your data to a company then it is magically transformed into legally protected property called “intellectual property.” Isn’t that fascinating? You sitting in your living room surfing the web and shopping for products is just you living your life, until the point it becomes part of some Amazon algorithm for prioritizing product placement and advertising. Your time spent downloading streaming television is just you living your life, until it is part of the Netflix algorithm for recommending new shows, measuring how long people will watch at a time, how many episodes they will consume, or what topics are popular. Your banking records are just boring receipts that you (might someday) review until they are sold as marketing data to companies who want to sell to people like you, in your neighborhood, and income bracket.

INTELLECTUAL PROPERTY IS MONEY What is really interesting about all of this is that as these valuable data sets accumulate and are “monetized” by companies they become part of the economy—part of daily business for companies large and small. What happens if that flow of data is compromised, cut off, curtailed, or suddenly metered in a way companies dependent on it cannot control? There is clearly a strong incentive to make sure the data continues to flow. Companies want to obscure what activities they monitor; they want to hide what data they need to continue to benefit from watching you; they don’t want you to know what information has “added value” from its analysis and resale to third parties.

ISN’T INTELLECTUAL PROPERTY MOVIES AND MUSIC? Let’s just look at this another way: Some people still imagine that a company’s’ cybersecurity is about protecting assets like film footage from movies, or studio production tracks from recording sessions with music artists, or secret plans for the next Apple computer. Sure, that is some of it. But think through it – movie studios are going to release their new film on every viewing platform conceivable and simply price in the cost of it being pirated (which is efficient compared to infallible security). New music plays for free on the radio, Pandora, Alexa, YouTube, and (my personal favorite) Hype Machine. The last time something other than your personal data was protected by a secret technology platform, Agents Mulder and Scully were on the case. -Here’s the secret: you and your online habits are the intellectual property. TIM PATRICK STARTED PROGRAMMING IN 1984 ON HIS IBM PC JR. HE HELPED AT&T WIRELESS OUTSOURCE SUPPORT OPERATIONS AND WORKED ON THE MERGER WITH CINGULAR WIRELESS. HE FOUND WORKING ON THE MOST CHALLENGING PROBLEMS OFFERED THE MOST REWARD: HELPING MICROSOFT FORMULATE AN ENTERPRISE ARCHITECTURE, BOEING DEFINE THE PROCESS FOR BUILDING THE 787 AND T-MOBILE SPEED UP DAILY PROCESSING OF 20M+ CUSTOMER BILLS. AT THE US OLYMPIC COMMITTEE, TIM LED TEAMS TO CREATE WORLD-CLASS SPORT ANALYTICS SYSTEMS. LEADING THE CURRICULUM FOR THE COLLEGE OF IS&T AT THE UNIVERSITY OF PHOENIX WAS AN AMAZING CAPSTONE TO YEARS OF LEADERSHIP. THE QUESTION HE MOST FREQUENTLY ASKS HIMSELF IS “WHERE IS TECHNOLOGY GOING NEXT?” HE MAY BE CONTACTED AT TIM.PATRICK@TIMPATRICK.COM

8 of 10 Information Governance Programs fail to meet their stated business objectives.




n January 16, 2020 the National Institute for Standards and Technology (NIST) released the first version of a voluntary privacy framework, “Privacy Framework: A Tool for Improving Privacy through Enterprise Risk Management.” This privacy framework will be widely used by organizations of all sizes. It provides a common approach which will standardize American company’s approach to Privacy compliance regulations. This decision to assign resources to be in compliance with the new privacy laws (CCPA, GDPR and the many others pending) will be made considering the rising cost of business insurance policies priced by insurance underwriters, who now have the ability to reference NIST compliance as a ratings tool when setting rates for corporate insurance policies.

The intersection of these two risk domains is depicted in Figure Two.

Cybersecurity Risks associated with cybersecurity incidents arising from loss of confidentiality, integrity, or availability

Cybersecurity related privacy events

Privacy Risks associated with privacy events arising from data processing

Figure 2 Figure 1 depicts the three parts of the Privacy Framework: 1) The Core, 2) Profiles and 3) Implementation Tiers. The Core provides an increasingly granular set if activities and outcomes that enable an organizational dialogue about managing privacy risk.



Profiles are a selection of specific Functions, Categories, and Subcategories from the Core that an organization has prioritized to help it manage privacy risk.

Implementation Tiers support communication about whether an organization has sufficient processes and resources in place to manage privacy risk and achieve its Target Profile.

Figure 1 The three framework components provide instructive process descriptions which inform companies how they can manage privacy risk. This occurs through the connection between business drivers, organizational roles and responsibility, and privacy protection activities. Using the three framework parts: Core, Profiles and Implementation Tier, organizations will have the methods needed to comply with new privacy laws. Proactive adoption of the standards set forth in the privacy framework will reduce both privacy and cybersecurity risk. 28


The Cybersecurity Framework was published by NIST in 2014. Since then, the NIST Cybersecurity Framework has been instrumental in guiding companies to communicate and manage cybersecurity risk1. Now that NIST has published the new privacy framework, US organizations can combine the elements of the two frameworks and better mitigate “adverse events” resulting from combined cybersecurity and privacy risks. The problems organizations experience have many variations. NIST describes their scale as ranging from dignitytype effects such as embarrassment or stigmas to more tangible harms such as discrimination, economic loss or physical harm2. The NIST internal report (IR) 8062 An Introduction to Privacy Engineering and Risk Management in Federal Systems identifies additional types of privacy risks associated with data processes that may have “adverse effects” on individuals. Specific details of the risk consequences are described in Appendix E of IR 8062. The potential for economic loss is a newly identified and significant corporate risk which will result in increased insurance costs for organizations that do not take proactive steps to audit and remediate their voluntary compliance with the new NIST Privacy Framework. In today’s increasingly interconnected world, “adverse events” can result simply from individual’s interactions with systems, products and services, even when the data being processed in not specifically linked to identifiable individuals. For example, smart cities technologies could be used to alter or influence people’s behavior such as where or how they move through the city3. Problems can also arise when there is a loss of confidentiality, integrity or availability (the CIA tirade) at some point in the data processing workflow. Once a company

identifies the possibility of any given problem resulting from the company’s data processing workflow, it can assess the potential impact. The impact (RISK) assessment is where privacy risk and organizational risk intersect. Figure 3 shows the relationship between Privacy Risk and Organizational Risk.

Problem arises from data processing

Individual experiences direct impact (e.g., embarrassment, discrimination, economic loss)

Organization resulting impact (e.g., customer abandonment, noncompliance costs, harm to reputation or internal culture)

Figure 3 Privacy Risk Management is a cross-organizational set of processes that helps organizations to understand how their systems, products, and services may create problems for individuals and how to develop effective solutions to manage such risks. The NIST Framework Core Structure depicts the steps companies can take to mitigate risk. FUNCTIONS



Identify-P Govern-P Control-P Communicate-P Protect-P

Figure 4 Privacy Risk Assessment is a sub-process for identifying and evaluating specific privacy risks4. In general, privacy risk assessments produce the information that can help organizations to weigh the benefits of the data processing work flow against the associated privacy risks and to determine the appropriate response—sometimes referred to as proportionality. 5 In 2014, the NIST Cybersecurity Framework identified five (5) critical functions: Identify, Protect, Detect, Respond, Recover as shown in Figure 5. Figure 6 details the intersection of the two standards (Cyber and Privacy). Organizational executives and other stake holders are encouraged to study these diagrams and consider how their company will proactively work to address these new risks. These Figures visualize the high-level functions NIST recommends organizations implement to manage cybersecurity and privacy risks.

Lack of Information Governance training is the leading cause of IG Program failure.


Cybersecurity related privacy events




Figure 5 Figure 6 The new Privacy Framework released by NIST on January 16, 2020 provides useful and effective guidance PROTECT RESPOND for the organizations and individuals tasked with protecting the privacy of their DETECT stakeholder’s data. This new voluntary framework will be used by insurance companies to benchmark relative compliance and thus set risk rating scores which will determine the cost of specific business insurance policies. Thus, in this case our government will succeed in achieving its objective without regulatory interference. The voluntary NIST framework will be successful in achieving significant compliance levels because of the “invisible hand” of economic theory. Once again, Adam Smith’s postulate that free enterprise leads organizations toward socially beneficial actions by economic coercion will have the opportunity to be proven correct. The NIST Privacy Framework will be used by cyber-insurance underwriters to set individual pricing schedules based on compliance with the new national standard. The resulting economic incentive will cause executive decision makers to better protect the privacy of the information that drives their business. RECOVER



First SoCal PrivacyOC Event Held BY SCOTT ALLBERT


he first PrivacyOC event was held in late January in Orange County, California. With a focus on the California Consumer Privacy Act (CCPA), the event was brimming with attendees— and conference organizers reported that sponsorships sold out months before the event. In California, the Attorney General will start enforcing the CCPA starting July 1, 2020. Companies not only don’t want fines, but more importantly, they do not want to lose business because of lost consumer confidence. It seems the pace to comply with CCPA has increased considerably. The Keynote, by Daniel Clarke at IntraEdge, started at 8am sharp and the venue was packed. Guest speakers made the entire one-day event, which cost $180 to attend, well worth the price. I interviewed several of the event speakers and found they are all very busy helping customers comply with CCPA. Taylor Bloom, Privacy attorney at Baker Hostetler, gave a lecture on “Long-Term Strategy to Build Your Privacy Compliance Program.” Afterward, she told me how important it is to not only understand the California CCPA but also all the other state regulations, both current and future. Since January 1, 2020 we have seen numerous states introduce their own versions of the CCPA, including Washington, Florida, Virginia, and soon New York. Michael Hellbusch, Partner at Rutan & Tucker, LLP spoke about setting policy and managing consumers rights. Michael told me how some of CCPA is vague and undefined. He said, “CCPA has so many uncertainties. It is hard to be 100% compliant when you don’t know.” Dan Clarke, President of IntraEdge offering the Truyo, an enterprise software solution for CCPA, was the Keynote Speaker who shared the top challenges and answers for CCPA. Daniel and I talked about how many “grey areas” there are with CCPA and

REFERENCE 1. There is no objective standard for ethical decision-making; it is grounded in the norms, values, and legal expectations in a given society (NIST Privacy Framework page i); 2.NIST has created an illustrative catalog of problems for use in privacy risk assessment. See NIST Privacy Risk Assessment Methodology (NIST Privacy Framework page 3, footnote 6); 3. See Newcombe T (2016) Security, Privacy, Governance Concerns About Smart City Technologies Grow. Government Technology. Available at http://www.govtech.com/Security-Privacy-Governance-Concerns-AboutSmart-City-Technologies-Grow.html; 4. NIST Privacy Framework page 4; 5. European Data Protection Supervisor (2019) Necessity & Proportionality. Available at https://edps.europa.eu/data-protection/our-work/subjects/necessity-proportionality_en. Note: All figures are taken from the NIST Privacy Framework, release 1.0, January 16, 2020



We can help. We are the world’s leading provider of IG training. TOP: (left to right) Tim Blood - Partner/Blood, Hurst & O’Reardon; Michael Hellbusch – Partner/Rutan & Tucker; Lilli Li - Owner/Metaverse Law; Alan Friel – Partner/ Baker Hostetler; James Snyder – Senior Counsel/Klinedinst. ABOVE: Packed rooms: Speaker Dan Clarke / President at IntraEdge.

how difficult it is to delete personal data and how hard it is to complete a proper verification process. CCPA EXPOSED The common theme throughout the day was how to meet compliance with all the undated amendments and many changes to understanding the regulation. There are too many of these “grey areas” as CCPA is presently a moving target. Perhaps the most important thing we learned at PrivacyOC is to be prepared. The consensus among privacy pros was that any organizations that adopt CCPA compliance measures will gain or maintain a competitive advantage over the organizations that are slow to launch their CCPA programs. According to CNBC, California’s new privacy law could cost companies a total of $55B to get prepared for compliance. This is a booming business and investors are jumping in headfirst. According to Crunchbase News, almost $10B was invested in Privacy and Security Companies in 2019 which is five times more than the $1.7B spent in 2010. The CCPA is a tsunami coming at us and has only just hit the beach. SCOTT ALLBERT IS VICE PRESIDENT AT GENERAL DATA PROTECTION SERVICES. HE HAS OVER 20 YEARS’ EXPERIENCE IN THE ECM MARKET. SCOTT’S YEARS OF INDUSTRY EXPERIENCE GIVE HIM A BROAD UNDERSTANDING OF THE PRODUCTS AND SERVICES WHICH COMPRISE THE INFORMATION GOVERNANCE MARKET. SCOTT IS A PAST CHAIR OF THE AIIM BOARD OF DIRECTORS AND AN AIIM FELLOW. HE MAY BE REACHED AT SCOTT.ALLBERT@OUTLOOK.COM

Our instructors leverage best practices, metrics, and real world experience to help you succeed. Call us today.

Call us at: 1.888.325.5914 or visit us at IGTraining.com



power privacy the


A Conversation with Teresa Schoch, Privacy Attorney Born near Oxford, England to an English rose and an American soldier, Teresa Pritchard Schoch grew up as a dual citizen learning to behave properly whether in the mountains of Tennessee, or in London town. She loved school and was drawn to literature, art and music. She worked her way through university degrees as a blackjack dealer, a coat check girl, a librarian and an editor, studying English literature, library/information science and law and, later, massage therapy—all with honors. At the ripe age of 28, Teresa was a professor, an attorney, served on the ethics committee for the Michigan State Bar, and was a pioneer in using technology in law, designing tools for several practice areas. She has pursued a career in law and technology, focusing on data privacy in recent years, and truly believes that if you love what you do, you never really work, you just live your life learning and creating as you go.



IGW: What sparked your interest in the Law? TS: My family was enamored with the King Arthur legend with its concept of the round table and justice considered part of our heritage. I visited the Oxford law library and fell in love with its sun-filtered stained glass beauty, and the sense of respect for law that prevailed in the peaceful, scholarly atmosphere. I decided I wanted to be a law librarian and work in a place just like that. I saw my future as that of a scholarly guardian of the law helping ensure that knowledge of justice was maintained and accessible. I set my sights on getting a master’s degree in library science, then a law degree. I surprised my guidance counselor in high school when he asked me what I wanted to do with my life, and I replied with a specific plan for reaching a very specific goal. Later, as the primary writer for the Michigan State Bar ethics committee. I was asked how I could decide legal ethics questions so adroitly. I told them that the knights’ code was so similar to attorneys’ ethical rules, that I would consider relevant facts and determine what a knight would do! How did you get into the records management and IG space? In law school, my passion was environmental law, and 34


even though I still wanted to be a law librarian, there was such a pressing need for lawyers to protect the environment that I shifted gears. Upon graduation, I was an environmental litigation attorney in a large firm in Detroit, but also in charge of the law firm’s library, online research, the technology committee, litigation support and both the firm and the Bar’s ethics committee. (And I taught at two universities in my spare time!) While practicing law, I kept seeing ways that information could be used creatively by accessing data sources that were becoming available online (increasing the types of knowledge to apply to a case), and how much more efficient the practice of law could be if we used developing technology for addressing clients’ needs; e.g., document assembly (contracts, trusts, corporate and firm record-keeping), conflicts recognition, etc. Since no one else was addressing it, I designed systems for decreasing time to accomplish tasks using my information science skills. In my next role at a large firm in Florida, I kept my promise to myself to be a law librarian as a Director of Information Management, responsible for library management, research services, investigative work, litigation support, conflicts management, knowledge

management and records management. I practiced law but primarily focused on bringing technology into the practice. Our law firm was recognized nationally for its cutting-edge technology utilization in several areas, including records and information management (RIM). Automating the RIM center, I realized that the records center was the central nervous system of the firm. In D.C., I shifted gears to become part of this industry that was feverishly capturing data for online retrieval. As part of that effort, I addressed privacy issues related to the capture of personal information through the automation of public records, court records, white pages, etc. I had become expert in finding background on individuals and, for example, trained the FBI, CIA and Justice Department in computerized investigation. You’ve also been focused on privacy for a while, before it was “cool”—what prompted you to go in that direction? As stated earlier, my passion for creative information use in the legal practice led me to push for electronic access to public records, newspapers and similar sources early on. In Florida, we were researching our jury pools using public records sources that no one had done at the time. We discredited witnesses by finding information in local newspapers and often researched the background of people on behalf of our clients as a professional courtesy. At that time, I was writing monthly articles on law and technology and frequently addressed issues of privacy as more sources became automated, and where ethics came into play as we were able to discover more about witnesses, opposing parties and our own clients through databases. I wrote several articles on privacy rights related to new sources of information access and participated in lawsuits relating to early personal information data publishing many years ago. More recently, while consulting on RIM, I saw my value to organizations as being able to holistically address their information management by focusing on Information Lifecycle Management (ILM). I considered it my mission to help organizations understand the interrelationship of e discovery, records management, security, privacy and defensible disposition. My message was that the goal for ILM was to be “lean and clean” i.e., less is more. Most large organizations had (and still have) huge repositories of dark data that served no purpose whatsoever other than to employ accountants to pay the bills for their upkeep. I wanted to free up those resources for growth and show the competitive advantage of lightening up. After the Snowden NSA information leakage revelations, the EU began accelerating the passage of a new privacy regulation (the GDPR) which would require that companies be aware of all the information they had in their possession, (including all that dark data). I knew that this was going to be the impetus to finally move toward the “lean and clean” information model that I saw as the future of information management. I created a course on the “Snowden effect” on ILM at IBM soon after his

“I considered it my mission to help organizations understand the interrelationship of e discovery, records management, security, privacy and defensible disposition” release of classified information, and I shifted my skill set to focus on the privacy facet of ILM. I reacquainted myself with privacy law (three certifications so far) and began to study privacy related technology in relationship to data identification, data mapping, encryption, etc. I also began to study the conflict of laws between global records laws and privacy laws. To expand my skill set, my next consulting role was focused on the interrelationship of security and privacy as the GDPR became law. How do you think things will play out in the U.S. with an emerging patchwork of state privacy legislation and perhaps federal privacy legislation looming? Interestingly, the US’ respect for personal privacy is lagging the rest of the world in many respects. When I speak on the topic, I explain to my audience that to understand a country’s privacy laws, you just need to understand their history. People in the EU remember Hitler, Argentina citizens remember their military coup and the Spanish remember their civil war. Knowing what can happen when a police state uses your personal information against you leads most to a view of privacy as a fundamental right; i.e., a constitutional right, as established by the EU. We simply have not had that compelling sense of the need for that personal right in the United States. (Perhaps because we are so heavily armed?) Others consider the EU’s fundamental right to privacy to be more about the Europeans’ desire to associate with whomever they wish. They do not want to be diminished in any way (class standing, included) by having personal details disclosed. Americans are perceived to be more concerned with a cowboy-framed freedom without the same sensibilities regarding their reputations and the impact on their social standing. INFORMATION GOVERNANCE WORLD


However, the exposure of Cambridge Analytica’s use of US individuals’ data to manipulate many voters in the 2016 election woke up some Americans to the danger of the current existence of an average of 5,000 data points on each US citizen. The “Great Hack” on Netflix is an excellent study of the ability to create echo chambers on social media to influence us to buy, sell, think, and vote. We now know that the election was won by the identification and targeting of “persuadable” individuals who could be triggered into a desired response by feeding them certain information over whatever devices they accessed. For me, the need to address the danger associated with this unbridled power of unwitting manipulation has become as critical as climate change. California was the first to respond to Cambridge Analytica and similar groups. The California Consumer Privacy Act, effective January 1, 2020, addresses the collection of personal data for imposing on personal space when using internet related devices of all types, specifically prohibiting sharing of your data without your knowledge. Will there be a US federal law that preempts all state privacy laws? At some point, that is likely inevitable. While there has been a recent bill introduced to create a federal privacy framework with less dependence on the FTC for enforcement, I would be surprised to see the gridlock in Washington changing any time soon. The recent revision of the North American Free Trade Agreement (NAFTA – now the UMC) spoke to a US privacy framework as a footnote, indicating that the US will follow APEC’s framework in upcoming years. (That is its own article.) Other countries have also addressed details of privacy issues in their trade agreements which makes sense since individual data is perceived as “the new oil” in economic terms but never addressed their future framework. Whether a US federal law will mirror California’s law, or abolish it completely, will depend on the political landscape. As referenced earlier, privacy rights likely are going to be perceived in the same realm as climate change. The federal government will decide to protect them or will think that it is more important that corporations have the right to maximize profits from this new oil. Like on the climate change stance, we may end up one of a couple of countries that does not see the need for privacy protection. That does not keep us from being impacted by the rest of the world’s laws as we address localization laws in Russia, China and India, for example, and requirements for personal data transfer. With the globalization of business, we cannot conduct business without meeting international privacy laws. In the meantime, organizations in the US will be scrambling to address US state laws that will mirror California’s Consumer Privacy Law in the upcoming months and years. Have you seen much impact with CCPA yet? What have companies that invested in GDPR readiness done to accommodate CCPA? Any additional measures? 36


Large companies are being impacted by the CCPA essentially to the same degree as the GDPR. Smaller companies are not as likely to be regulated by CCPA unless they provide services to larger companies. GDPR was effective in getting many large corporations to understand the need to address their information hoarding. The storage downsizing already in play was critical for the CCPA as well. Some organizations had already mapped their data to determine the location of personal information beyond the EU-based data which gave them a distinct advantage. There was also increased budgeting and technological implementation in securing data which is critical for the CCPA. But there are differences in the laws that require different frameworks. In my current role as a global privacy attorney at Axiom (an international legal services firm), many companies respond to my requests to amend contracts to comply with CCPA with the statement that they comply with GDPR, but compliance with the GDPR simply does not equate with CCPA compliance. Again, we can look at what drove the passage of the CCPA, which was not the same as the GDPR. The CCPA is a direct response to the Cambridge Analytica revelations; the sharing of personal data without our knowledge for the purpose of influencing us to act in a predetermined manner. California’s law is controlling businesses and service providers in a manner that ensures opt-out rights when data is being sold, with a very broad concept of a sale. A consumer’s rights to deletion and access are the same in both laws, but other requirements in data sharing are handled differently. Companies that have proliferated in the US to provide programmatic advertising through cookies utilization are scrambling to develop new business lines considering the CCPA. Google has created a new model of “restricted data analytics” while Facebook is creating headaches for linked websites with new optout requirements. In addition, the California Attorney General drafted regulations that are very specific about how consumers can approach an organization to assert their rights under the CCPA. The response framework is not the same as one for a GDPR-based request.

CLOCKWISE FROM TOP LEFT: With my daughter, Tara, in Prague studying film. (At which she is brilliant!); Many of my best friends have been dogs. my most recent, Star; My often times office in Saint Petersburg, Florida; At the Shard in London with Tara, my niece, Dana and a British family friend, Sarah we have known for decades; Me on the left. As children, we loved to listen to my mom read the letters from my British grandmother; The joy of cooking is obvious. I love to host both dinner parties and larger celebrations; A time in life with a different focus; mom and massage therapist; With my friend, Dan Raphael, a talented artist and author, traveling to Argentina; Grad school, project based photo for study of how clothing affects others’ treatment of you; Brit and American family and friends came together to find the right place for my brother, Cliff’s ashes at the alleged birthplace of King Arthur, Tintagel in Cornwall on the southwest coast of England; Me with my brother, Cliff; My parents, quite a romantic story; An example of my jewelry collection that combines sterling silver pieces from the art deco period. I am at 800 pieces with a 1000 goal. I am negotiating their placement with a fine arts institute; My Clarice Cliff and Christine Rosamond art collections. Clarice Cliff was the first woman allowed to sign her hand painted pottery in 1920’s England. Rosamond was a California artist whose work is similar to the Pre-Raphaelites led by Rossetti; Mom; Not all information processing is done by computers.

“I do think there is a time when we have traveled so much that we have people we love around the globe and we come to the realization that we want to travel to see people more so than places.�



What is the biggest mistake companies make in preparing for privacy compliance? Thinking that privacy and security are the same thing. Obviously, protecting privacy requires good security and many breach laws do not require a notification to those individuals whose data was breached if the data was adequately encrypted. But there are a lot of other aspects to privacy management beyond securing the data. Global laws, rights to access, deletion, verification, conflicts of law, cross border transfers, recognition of sensitive data, breach response, service provider/vendor agreements, privacy by design, etc. are just a few of the areas handled by privacy professionals, rather that security professionals. In many instances, hiring professionals don’t know the difference and expect security professionals who can build firewalls to assume all other duties relating to privacy for which they are not trained. In the same vein, many C-Level professionals think that anyone can handle privacy management; that it is just not that hard. It is such a new area with so many moving parts that many don’t know what they don’t know. What trends are you seeing with privacy information management system software? Most of the budget in privacy management (assuming security is addressed in a larger, different budget) is being spent on mapping tools, de-identification software, automation of data subject requests, cookies management, website scanning, personal data location software and consent monitoring. There is a consolidation of privacy management tools occurring, with research tools becoming integrated into the implementation tools so that legal requirements are attached to the records to which they relate. Privacy mapping tools are integrating with RIM tools. Software developed for locating information within unstructured data for eDiscovery purposes is being used to find personal data. If you could have dinner with three historical figures, who would they be, and why? Nikola Tesla, Charlie Chaplin, Dante Gabriel Rossetti I am sure there would have been women in this list if they had been acknowledged in their times, but these three men have inspired me to be my best and to contribute, often working harder than others might, simply to manifest as much as I can with what I have been given. While I have been at times been perceived—mistakenly—as competitive, I only compete with myself to get better at whatever I am doing. Tesla reminds me to stretch my mind, create, and to not worry that it might have all been thought of before. He did not sleep much and saw patterns everywhere. He delighted in making the world a better place by manifesting the pattern-based designs that were meant to make life easier. Chaplin rose above a tough life in a London poor house to remind people around the world to see the humor in it all. His work is brilliant in that he did not have to say

anything but was understood around the world because he tapped into the universal human experience captured in expressions and gestures shared in all cultures by all races. In the end, kindness is what matters. Rossetti was a poet, essayist and artist who captured colorful beauty on massive canvas works and exemplified joie de vivre that was a rebellious lifestyle in the Victorian era. He led a talented brotherhood who inspired each other to reach new heights in writing, art and design pulling from the King Arthur legend to portray concepts of loyalty, honor, civility and beauty. What is your favorite place to travel to, and why? Going to England is simply going home so that is not really travel. Otherwise, I call a tie between Buenos Aires, Argentina and Maui, Hawaii. Buenos Aires is rich in culture with music, art, architecture, dance and fashion. The Argentine people are inherently curious and have a special kindness about them. Maui’s beauty is like Rossetti’s colorful art come to life. The colors are rich, from the bountiful flowers to the stunning sunsets where bliss is a common word. Maui is another area of the world where there is a special kindness between people. However, I’m not finished seeing the world so that can’t be definitive. There are still countries I want to experience. But I do think there is a time when we have traveled so much that we have people we love around the globe and we come to the realization that we want to travel to see people more so than places.

“For me, the need to address the danger associated with this unbridled power of unwitting manipulation has become as critical as climate change.” PORTRAITS BY SPECIAL THANKS







n an uncertain global market like that which we are experiencing as a result of fallout from the coronavirus and recent OPEC fubar, inexperienced or unnerved business leaders tend to hunker down, tighten the belt, jettison the ballast, or worse, just stay the course. More experienced and steely leaders on the other hand take to heart what M.F. Weiner first wrote in 1976: “Don’t Waste a Crisis.” But how does one understand a crisis and anticipate and take advantage of its ramifications? One word: data. True, most crises are unique and remain unpredictable in many ways. They are times of great uncertainty. Certainty, or at least predictable activity, can be gleaned from the deterministic chain of responses, and taken advantage of.



In fact, the definition of information dating back to the days of the father of information theory, Claude Shannon, specifically cites it as being that which reduces uncertainty and therefore chaos (i.e., the effects of entropy). So, while it may make sense to push the pause button on particular capital expenditures, investing in data and analytics should be accelerated not abated. Remember, good information in its many forms, including analytics, insights, predictions, diagnoses, prescriptions, and so forth, often is a lower-cost substitute for inventory, property and even money. Uber and Lyft for example have substituted information about who needs a ride and who has a car for fleets of taxis. Airbnb and HomeAway have done the same for bedrooms.

Even most traditional retailers and manufacturers have been able to reduce their inventory levels, some to just-in-time inventory, based on detailed, near real-time supply and demand information. Moreover, more than 30% of companies today exchange information they collect or generate in return for goods and services from others. And this merely represents one of several ways to monetize your data. Investors themselves even seem to favor organizations that make significant investments in data and analytics. Public companies with chief data officers, data governance programs, and data science organizations command a nearly 2x market-to-book valuation over the rest of the market. Companies like MSCI, Accretive Health, Betfair PLC, SPS Commerce, Amex, and Apple, have demonstrated a clear commitment to substituting information for traditional high-cost production factors and waste. DATA TO THE RESCUE

Value chains are deterministic for the most part. Indeed, the vagaries of human nature inject a level of insuperable uncertainty. But this is generally white noise for most businesses. Supply and demand, pricing and elasticity, productivity frontiers — all models from Econ101 can be used to describe your value chain, with data plugged in to identify and understand the drivers and levers of business. At no time is this degree of understanding more important than during an economic crisis. So don’t turn your back on it. Moreover, how well do you really understand your supply-chain? (“Of course we know who our suppliers are!”) But do you know their production capacities or costs at different levels of capacity? Do you know who their suppliers are or who their suppliers’ suppliers are and how resilient their businesses are to changing economic conditions? Most automakers and airline manufacturers have up to

six-levels of supply chain visibility. If you don’t have it, collect it, buy it, or barter for it, and plug it into your value chain model. Furthermore, how well have you used available information to identify and line-up alternate suppliers in the event that one falters or can’t deliver you widgets because its borders are closed, workers have been quarantined, or transportation methods are halted? Same with the demand side of your business. How well are you tracking customer sentiment, purchasing power, competitor pricing or service changes, or any of hundreds or thousands of global economic factors affecting demand for your goods and services in realtime or over an extended horizon? A burgeoning selection of data product companies, data marketplaces, and specialized analytics solution providers has emerged offering an array of alternative data sources that can provide unique insights–if integrated well. Data is also necessary to give visibility to executives so they can act with more precision, especially in a volatile market. A few years ago, Gartner analysts Dale Kutnick and Saul Brand developed the “economic architecture” concept which is a brilliant method of defining an organization’s prospective aspirational balance sheet and income statement, then architecting the business to achieve it over some time horizon. As economic conditions change, so must various financial goals and ratios that in-turn dictate how the business must operate to achieve them. Similarly, at the onset of the Great Recession, BMC Software was one company whose leaders went a step further–developing a series of financial risk scenarios (red, green, yellow, blue, etc.) based on economic triggers that they were ready to execute at a moment’s notice. As a result, the company was able to weather the storm better than others, not just by being “proactively reactive” but by instilling confidence

in its employees, customers and investors. Yet the ability to define, communicate, and execute efficiently to economically architect the business or employ economic scenarios requires deep and broad data. Even at an information technology level, organizations can free up needed cash in a crisis without the need to halt IT projects. Among the most expeditious ways to do this is moving data and processing to the cloud, salvaging existing hardware, stemming hardware-related capital expenses, and likely reducing labor costs. Speaking of labor costs, have you automated all the processes and decisions that can be automated reasonably and swiftly? Now isn’t the time to be afraid of black-box algorithms, it’s the time to embrace them. But these forms of advanced analytics and process control need to be fueled. Data is the lifeblood of artificial intelligence (AI) and machine learning (ML) algorithms. Finally, with recent trepidation of gatherings and spreading disease through the handling of objects, consider which of your physical products and mano-a-mano services can be digitalized. Digitalization of course requires data too. So, CIOs inevitably being asked over the next few weeks to reconsider IT budgets in the midst of this current financial crisis should learn from those companies that weathered and thrived in the last one. Rather than slashing budgets wholesale, consider shifting them into improved ways to manage and leverage data as an actual corporate asset not an expense. Or bolder yet, ask for increased budgets to bring data to the rescue. DOUG LANEY LEADS CASERTA’S DATA AND ANALYTICS STRATEGY PRACTICE AND IS THE AUTHOR OF THE BEST-SELLING BOOK: “INFONOMICS: HOW TO MONETIZE, MANAGE, AND MEASURE INFORMATION AS AN ASSET FOR COMPETITIVE ADVANTAGE,” WHICH FEATURES THE INFORMATION VALUATION MODELS HE DEVELOPED. HE ALSO IS A VISITING PROFESSOR AT THE UNIVERSITY OF ILLINOIS GIES SCHOOL OF BUSINESS AND A THREE-TIME GARTNER THOUGHT LEADERSHIP AWARD RECIPIENT. HE MAY BE REACHED AT DOUG.LANEY@CASERTA.COM. Doug Laney





ike Quartararo has been solving problems in e-discovery and IG for 20 years. Mike is an author, teacher, and thought-leader, and holds certifications in e-discovery (CEDS) and project management (PMP). He has built his career upon strategic and innovative thinking, leadership, and operational skills honed at the best legal organizations in the world. He began his career as a paralegal at big law firms in New York. In 1999, he joined Skadden Arps Slate Meagher & Flom LLP where he led e-discovery projects related to complex class action securities and international litigations. Later, as a database specialist, project manager and trainer, he focused on managing data collection and processing projects, large-scale document reviews and trial presentation. During his ten years at Skadden Mike began to study and apply project management principles to litigation and e-discovery projects. In 2008, Mike joined Stroock & Stroock & Lavan LLP to build and lead their litigation support operation. As firm-wide director of litigation support he led a staff providing consultative e-discovery, litigation support and technology services. Mike introduced project management principles and he developed and implemented policies and procedures relating to information governance, e-discovery and trial services. He was also responsible for the design and delivery of firmwide e-discovery training programs. Mike co-founded the firm’s eDiscovery and Information Governance Group and regularly provided advisory services to attorneys and the firm’s Fortune 500 clients. In 2012, Mike became a part-time graduate professor and advisor at Bryan University in Tempe, AZ. He codesigned and taught classes in e-discovery and project management, developed a project management simulation course, and also secured educational licenses for leading e-discovery applications and developed a laboratory for students to gain practical, hands-on experience.



Mike left Stroock in 2018 to launch his own successful consulting practice. eDPM Advisory Services provides legal operations, e-discovery and project management advisory services to corporate legal departments and law firms and Mike frequently speaks and writes on topics relating to his consulting practice. In late 2019, Mike was named president of the Association of Certified E-Discovery Specialists (ACEDS), a global professional membership association providing live and online training and certification in e-discovery and professional development courses to corporate legal departments, law firms and the broader legal community. Mike is a graduate of the State University of New York, with a Bachelor’s in psychology and music. He studied law at the University of London, Holborn College. IGW: Where did you grow up, go to school? MQ: I grew up in New York and went to college in upstate New York at SUNY New Paltz. I considered law school in the US for a while, but opted to complete a year of law school at the University of London, Holborn College, where you “read” the law. We studied the Magna Carta, the British legal system and its common law foundations. I literally had to recite British court decisions to pass those classes. It was enlightening and it set me on a legal course in my career. What are some of your fondest memories from growing up? Growing up we did a lot of outings and other family

activities. I really used to like fishing and I recall holding the record for some period of time for the biggest bluefish caught out of Shinnecock Inlet on Long Island. Truth is my dad helped me reel it in, but he gave me all the credit.

I’ve seen horror stories about missing, altered or deleted data. This should not be happening today with the technologies that are available. ”

What sparked your interest in the Law? I’ve always been fascinated by government and the law. There’s something about the organizational structure and the orderliness that appeals to me. I like rules and procedures and frankly some of the best work I’ve ever done is the policy development and instructional stuff. It’s also what likely led me to project management –the structure and process of it all. But without a law degree, where do you go in the legal industry? I chose early on the

advantage of resources. So, we set about to convert the electronic documents to tiff images and scan the paper documents and lawyers began looking at the documents on a computer screen instead in boxes of paper. OCR enabled them to search. Coding helped them to sort. It was truly revolutionary back then. I went on to work on many more cases like that and eventually began training others and eventually I found myself running an entire department dedicated to providing e-discovery services internally and to clients of the firm.

stages–the IG stages—that can save you time and money later. Simply knowing what data you have, where it is stored and secured, who has access to what data, and how you dispose of data is critical. Quite apart from the business value of information, if when you are faced with litigation, an investigation, or a regulatory inquiry, you are able to efficiently identify the data assets impacted by the dispute or inquiry, well, then you’re going to find the e-discovery process more tolerable and more affordable. But to answer your question more succinctly, the biggest mistake I’ve seen over the

paralegal route and later law firm management and administration.

\What is the biggest mistake companies make in preparing for e-Discovery, or carrying out a e-Discovery project? The biggest mistakes that companies make in e-discovery are underestimating the early stages of the process. I always say that IG is the foundation of e-discovery. And it’s 100% true. If you look at the EDRM it starts with several processes built around IG. If I have learned nothing else over the years there are several things you can do in those early

years is failing to properly identify information relevant to a dispute and then implementing a proper legal hold or preservation order. Too many times I’ve seen horror stories about missing, altered or deleted data. This should not be happening today with the technologies that are available.

How did you get involved in the e-Discovery space? The first time I heard the phrase electronic discovery was in the mid to late 1990s. I was leading a team at the time focused on discovery for a major class action litigation. More and more relevant documents were surfacing that the lawyers needed to look at and working in big law at the time gave me the

What trends are you seeing with technologies and approaches to e-Discovery? I’m seeing a lot of movement toward automation and finding INFORMATION GOVERNANCE WORLD


LEGAL & e-DISCOVERY efficiency. And this involves a lot of the machine learning or AI tools we are seeing on the market today. If you had told me 20 years ago that I would be able to parse through 5 million documents and pull out conceptually relevant or related content in a few hours, I probably would have said that’s crazy. But today we’re doing this. And we’re using similar tools to analyze thousands of contract clauses, or to perform sentiment analysis on email messages across a massive corporate enterprise. But what’s particularly cool to me, too, is the growth of process-oriented tools that are designed to make managing projects more effective and more efficient. Analytics, metrics, KPIs—all of these are starting the play a role in legal environments as we all converge on the best way to do things. It’s an exciting time to be in e-discovery. How do you see the intersection or overlap of IG and e-Discovery? As I say, IG is the foundation of e-discovery. Everything that happens in the e-discovery lifecycle, from preservation, collection, processing, review and production—all those processes flow from the IG processes that precede it. There’s no simpler or more important way to look at it. And so, if you’ve got sound IG processes in place, that can only



help improve your e-discovery processes down the line. You were recently named President of ACEDS. What is your vision for a thriving ACEDS community? What obstacles must you overcome? Thank you, I appreciate you raising this. Yes, I took over as the president of the Association of Certified E-Discovery Specialists last October. We are the world’s leading e-discovery training and certification organization. We have roughly 2500 active members in 20 countries across the globe, about 1450 of which are Certified E-Discovery Specialists or CEDS. My goal is to grow the organization membership. Currently, we have 24 chapters in most major US cities, the UK, Ireland, Canada, The Netherlands, and South Africa. We’re looking to expand to Australia and South America too. But the membership is the lifeblood of the organization and we’ve

been very pleased with the growth. Some of the obstacles have been finding the time to update our training materials and certification exam and introducing more structure to the many chapters. We have been chipping away at these, but we still have a way to go. One of the things I’ve been passionate about is giving back. And so, we’ve introduced a scholarship/hardship program and later this year we will roll out a reinvigorated mentorship program that is designed to pair senior people with junior people for training, career development advice, and networking opportunities. Who has been a mentor for you, and what key lessons did they teach you? I’ve had so many mentors over the years, most of them attorneys I’ve gotten to know and remain friends with to this day. Navigating in the legal industry is rarely done alone. There are at least a dozen people who at various times have guided and shaped my career. I mean, I’m the head of one of the most successful professional organizations in our space—and I would not be here were it not for several people

who helped me analyze and navigate complex issues and implement creative solutions; who taught me to persevere in the face of obstacles; and who encouraged me to forge a new path and adopt new technologies. I used these words recently during a speaking engagement and they are true. More than anything, what I’ve learned, though, is a certain degree of emotional intelligence and how to communicate with people. Keeping a cool head and talking with people—adversary or best friend—tactfully and with respect are probably the most useful tools I’ve learned to use. Tell us about your volunteer work, and why is it is important to you? I consider myself to be very blessed. I’ve built a career and reputation in an industry that just 20 years ago didn’t really exist. I have had the opportunity to manage great teams and I’ve been exposed to

If you had told me 20 years ago that I would be able to parse through 5 million documents and pull out conceptually relevant or related content in a few hours, I probably would have said that’s crazy. ” great managers. I’ve been wellcompensated, and I hope I remain well-regarded among my peers. Having been rewarded, I feel it only appropriate to give back. So, I volunteer as the executive director of the Life Preservers Project, a small, grassroots nonprofit organization in New York dedicated to providing support and services to victims of human trafficking and to raising awareness in at-risk communities. What is your favorite sports team, and why? I grew up in Queens and for better or worst most people there are fans

of the New York Mets baseball club. And I’ve taken a lot of flak about this over the years from my friends who are Yankees fans. I mean who has more championships than the Yankees, right? But I love the grit and underdog status of my Mets—and they try. They really do. Sometimes I feel like they can’t get out of their own way, but they’ve always been my team. And just like in other areas of life, I place a high premium on loyalty. But the truth is that I’m a fan of baseball in general and that’s because I played a little when I was younger, and I can appreciate the complexities of the game.

IS E-DISCOVERY MISSING FROM YOUR IG TOOKIT? Expand your information governance IQ with ACEDS, the global standard in e-discovery training and certification VALIDATE YOUR SKILL









eed Smith, a New York-based law firm, recently announced the launch of the new “E-Discovery App” for litigation professionals and others in the e-discovery community. The E-Discovery App is a free download available through the Apple App Store and Google Play. To install the app on a phone, users can simply click on the Apple Appstore or Google Play and search for “E-Discovery App.” The mobile application was developed in-house by the firm’s Records & E-Discovery (RED) Practice Group in collaboration with the firm’s legal tech subsidiary, Gravity Stack. “Our clients and professionals within the E-discovery community have been seeking an on-demand tool that gives them access to many



E-discovery resources at their fingertips,” David Cohen, a Reed Smith partner and RED chair, said in a media advisory. “Our app provides a great starting point for legal professionals and helps drive progress for our clients.” Reed Smith’s e-discovery reference materials serve as the backbone for the E-Discovery App, which also reflects contributions from others in the e-discovery community. The E-Discovery App offers eight content areas: An E-Discovery Glossary that offers concise definitions of more than 100 searchable E-discovery related terms, phrases, and acronyms; An E-Discovery Calendar of Events, including upcoming conferences and webinars;

Selected Rules that links to the Federal Rules of Civil Procedure, Federal Rules of Evidence, and Model Rules of Professional Conduct most applicable to E-discovery; Document Review Management resources, including a document collection and filtering checklist, a discussion of deduplication and threading, reviewer training and quality control tips, and a document production checklist; Sample E-Discovery Forms, including legal hold notices, a custodian questionnaire, a rule 26(f ) checklist, and sample court orders; International and Cross-Border resources, including summary guidance, a GDPR crossborder checklist, and a GDPR template notice; Additional Resources, including



common file extensions, ESI “rules of thumb,” and links to other helpful e-discovery materials; and A Solution Provider Directory, listing e-discovery software and service providers, the solutions that they offer, contact information and website links “There are some great e-discovery resources already available on the internet, but you have to know where to look, and you cannot always find what you are looking for,” said Bryon Bratcher, Managing Director of Gravity Stack, which collaborated with Reed Smith’s RED Group to develop content for the app and identify other useful resources to include. “Having a curated collection of resources and links available in one location will be invaluable to those in the e-discovery community.” Cohen said that there is a relatively close-knit community among e-discovery professionals and a culture of sharing. “E-Discovery remains a rapidly

evolving area of law, and a very collaborative culture has developed among practitioners and service providers,” Cohen said. “Many of the resources available through the app were developed by or with help of others. We are grateful to those who have volunteered their time and resources, and welcome submission of additional forms and resources to consider including in future app updates.” Reed Smith’s RED group focuses primarily on two areas: counseling clients with regard to implementing effective records management and IG practices and assisting clients with all phases of electronic discovery, including large-scale document reviews. Reed Smith’s technology subsidiary, Gravity Stack, develops and supplies legal technology and service solutions, including information collection, processing, hosting, analytics, anonymization and other managed technology, data services and products. For further information, visit www.reedsmith.com

The new The Sedona Conference Glossary, eDiscovery & Digital Information Management, Fifth Edition, encompassing 130 pages and nearly 800 definitions, reflects the rapid expansion of privacy and data security laws and regulations. It incorporates new definitions related to Big Data, GDPR, and the science of Technology-Assisted Review; deletes outdated terms; and updates others in response to evolving technology and case law. From “30(b) (6)” and “Ablate”, which is to burn laser-readable “pits” into the recorded layer of optical disks, DVD-ROMs and CD-ROMs to “Zombie Cookies” and “Zone OCR”, this Glossary covers it all. Do you know what “Basic Input Output System (BIOS)” is? How about a “Data Lake”? Or the Federal Information Processing Standards (FIPS)? What about “Harvesting”? Do you know for which term “MakeAvailable Production” is synonymous? Do you know what “Sentiment Analysis” is? No, it has nothing to do with studying romantic movies. Do you know what “Thread Suppression” is? Those, and many more, definitions are in this Glossary. The original edition of the Glossary was created in May 2005 and there have been subsequent editions in December 2007, September 2010 and April 2014. You can download a copy of the Glossary here (login required, which is free). INFORMATION GOVERNANCE WORLD





New Coronavirus



Air travel during the Coronavirus epidemic in China.

he SARS epidemic began in 2003, slightly less than two years after I departed from Singapore to Vancouver, BC, Canada to accept an adjunct teaching position in the SLAIS program, University of British Columbia. Before the illness could be contained, it spread to 29 countries, where 8,096 people were identified as contracting SARS, with a mortality of 774 (9.5%). Recently, the death rate among coronavirus patients was estimated at just above 3%, which is much lower than SARS, but about three times the rate of seasonal flu. I lived in Singapore for almost eight years. While based in Singapore, I traveled to over 33 different countries and to China several times. But with all this time and travel in SE Asia, I don’t remember hearing about Wuhan, China—a city as old as Avaris and Pi-Rameses in the Nile Delta (end of the 18th Dynasty) and just as historic to Chinese Culture. Now Wuhan is in the news worldwide, “the historic city has become ground zero of the new coronavirus outbreak.” (1) This medical situation is concerning to me personally, in that I am slated to go to Wuhan for the Pacific Region Education Consultancy Pte Ltd in Singapore, which organizes study tours. Needless to say, I will be forced to wait until the medical crisis settles down—and will be taking my flu shots. INFORMATION GOVERNANCE WORLD



While researching Wuhan in preparation for my visit, this is what I learned and I hope you find it as interesting as I did. Wuhan, what a surprising city! It is today an international metropolis, education center, tourist Mecca, transportation hub, burgeoning tech center, and a culinary center with its own customary local dishes. The city is an international metropolis of 11 million, situated in a province of 45 million people – larger than California. Wuhan is anciently divided by the merging of the Yangtze and Han Rivers into “The Three Cities of Wuhan”: Wuchang, Hankou, and Hanyang. The entire area was quarantined for a time. Having been in higher education for over 30 years, serving as Director of Admission and Records at UC Berkeley for nearly 20 of those years, it was a big surprise to me to hear that Wuhan is the world’s largest college town. It boasts 53 universities, including Wuhan University that alone 50


accounts for some 60,000 The race for a cure. students. (By comparison, Houston has a community college with 45,000 students, the largest in America, and over 300,000 college-level students overall.) Students from Southeast Asia go to Wuhan University for their 6-year medical program, which is taught in English. Wow! successors and this policy still exists Under modern Chinese in provinces deep in the interior of Communism, tourism was China where armies are at the ready returning to Wuhan after several to quell any rebellions in provinces shocks. The British came and allowed to practice capitalism in the center of commerce and limited form—freedom to travel in government shifted to Hong China means being on a long leash; Kong. The Japanese invaded to it is not an absolute right. expel the British during which That said, climate is an important Wuhan the city was captured. After factor for both city life and tourism. the Japanese were defeated, the In the Summer, Wuhan is very hot Communists wrested control from and many people leave during this the Nationalist Chinese the borders period. However, during the Spring were closed and a nationwide lockand Fall, the opposite is true; when down ensued. Internal travel was tourists are drawn to see landmarks highly regulated by the Chinese such as the pagoda-like-Yellow Communists under Mao and his Crane Tower (a Taoist landmark,

one of China’s four great towers), the 350-yearold Guiyuan Temple, and the Hubei Provincial Museum. Like Washington DC, where I most recently worked for the US State Department, many tourists visit Wuhan to see the scenic East Lake and enjoy the cherry blossoms in March and April. Wuhan is also a transportation hub. Their international airport handles more than 24 million passengers annually (which ranks with Houston’s main airport for comparison). It is centrally located in China’s internal airline route-network. It is also the intersection of the development of High-Speed train lines. Sitting at the confluence of the mighty Yangtze River and Han Rivers, it has long been a freshwater port for shipping, in the same way Chicago and Philadelphia are port cities for both domestic and international shipping. In terms of diet, Wuhan has a variety of western companies, such as Starbucks, McDonalds, etc. However, Wuhan has been historically noted for their spicy foods. It is probably their love of exotic meats that started this virus, since the virus was first discovered in the wholesale market where they sell live wolf puppies and snakes. With over 11 million people, Wuhan is attempting to move from its historical and cultural importance to being high-tech research and manufacturing center. Foxconn, a key Apple supplier, has a plant there. For heavy manufacturing, Renault has several plants in the area. Speaking of the historic city of Wuhan, because I have over 20 years in records and information management experience, I will be interested in their transition from paper to electronic records. How does a city that large and that old (since 1460 BC) keep their records and move them into 2020? Even more challenging is to keep those records accurately and honestly? The Communists have burned many records and sold-off cultural artifacts to the West for cash to buy arms from the Russians. They also permanently erased living memory of those who did not agree with Communism. All of this has allowed them to freely to rewrite Chinese history and reinvent society on the line of Dialectical Materialism. On the positive side, there are said to be over 300,000,000 Christians in China, mostly in the underground home-church movement, who may eventually have some impact on the culture. So, we will see how that duality is reflected in their records. DR. ROBERT L. BAILEY, HAS HAD A LONG AND DISTINGUISHED CAREER IN RIM AND IG. HE IS A CERTIFIED AS A CRM, MIT, IGP, ECMP, AND ALSO NARA AND ESSENTIAL RECORDS CERTIFIED. HE MAY BE REACHED AT RLBAILEY@LIVE.CA OR VISIT WWW. STUDYANDMIGRATE.COM .


NARA FOLLOWING THROUGH ON WHITE HOUSE DIRECTIVE TO GO PAPERLESS BY ANDREW YSASI On June 28, 2019, the White House issued a memo from Russell Vought the Acting Director, Office of Management and Budget and David Ferriero, Archivist of the United States, National Archives and Records Administration. The memo highlights the primary objective to modernize government by going electronic—or “paperless” by 2023. The directive in the memo highlights the importance of the use of metadata and to close record storage facilities operated by NARA or commercial entities. Further, the memo highlights critical deadlines identified in Section I: By 2019, Federal agencies will manage all permanent electronic records in an electronic format. By 2022, Federal agencies will manage all permanent records in an electronic format and with appropriate metadata. By 2022, Federal agencies will manage all temporary records in an electronic format or store them in commercial records storage facilities. Federal agencies will maintain robust records management programs that comply with the Federal Records Act and its regulations. The memo outlines implementation guidance in Section II: By 2020, NARA will revise records management regulations and guidance to support Federal agencies’ transition to fully electronic recordkeeping. By 2020, OPM will revise position classification standards for archival and records management occupational series to incorporate electronic records management responsibilities and functions. By 2022, NARA will no longer accept transfers of permanent or temporary records in analog formats and will accept records only in electronic format and with appropriate metadata. It appears NARA is working on this directive. On January 30, 2020, NARA issued a request for information (RFI) with hopes to learn more about cloud storage, infrastructure as a service (IaaS), Platformas-a-Service (PaaS), and Software-as-a-Service (SaaS) capabilities according to this article. The memo goes on to mention hundreds of millions of taxpayer dollars required to store both electronic and paper records, and by going paperless, the government will no longer have to store records on paper reducing physical storage costs and increasing accessibility. Time will tell if this initiative saves taxpayer money, or transfers the expense to cloud providers. INFORMATION GOVERNANCE WORLD




he road to IG ruin is paved with good intentions, both strategic and tactical. Although IG Leaders know that proper data management and governance will help grow, improve and protect their businesses, many have trouble articulating that value in a way that resonates with Business Stakeholders and C-level leadership. IG Leaders, especially those more rooted in information technology, tend to focus more on the technical HOW instead of the strategic WHY. IG Leaders often have unrealistic expectations that Business Stakeholders will learn or even care about the physical implementation process. IG and Data Management efforts are rarely considered exciting, innovative or “sexy.” By contrast, Business Intelligence (BI) enjoys a disproportionate amount of exposure, limelight and support. The elevation of Data Science practices to near-heroic stature continues to overemphasize the value of BI over IG. Ironically, BI fails without IG, as BI value is inextricably linked to the quality of IG efforts.

While there is no doubt that BI brings incredible value to an enterprise, without proper IG those efforts can prove futile. Moreover, the successful implementation and adoption of enterprise systems, and the eventual operationalization of BI results into those workflows, is directly beholden to the successful outcome of IG. The “Golden Rule of Data” –garbage in, garbage out – remains an inescapable reality. Terminology note: For the purposes of this article Information Governance (IG) serves as an all-encompassing term the supporting organizational and functional efforts (data governance, RDM, data stewardship, data cataloging and the overall category of data management) as well as the outputs (master data, reference data, metadata). BI refers to analytics and business intelligence efforts, including artificial intelligence, machine learning, and data science.

To win over Business Stakeholders, IG Leaders must create a compelling narrative that builds urgency, reinvigorates enthusiasm and aligns with the strategic intentions of the Enterprise. If Business Stakeholders do not understand and agree on the WHY, they will have no interest in the HOW. While Data Storytelling and Data Literacy efforts are gaining market traction, these tend to be more focused on using BI outputs in a business setting or in a relationship-building process. An IG narrative, however, focuses on telling stories ABOUT the data rather than WITH the data. IG Leaders who seek to improve soft skills and execute simple storytelling techniques will be more likely to gain a rightful place for their initiatives on their organization’s strategic agenda.

If Business Stakeholders do not understand and agree on the WHY, they will have no interest in the HOW. ” 52



COMPLETENESS OF VISION WHY are we doing it? Sizzle Audience empathy “Sounds Cool” Head in the clouds Inspiring Evangelism Worst case Buzzy Marketing Spin

Compelling Storytelling



Technical Accuracy

Narrative Topics • Company Objectives • Macro-Trend Impact • Immediate Gains • Long-term Benefits • Innovation Enablement

HOW are we doing it? Steak Can get it done “Makes sense” Feet on the Ground Practical Execution Worst case Boring Technobabble

Figure 1 Characteristics of a balanced narrative


Utilize this 3V framework to help illustrate the strategic importance of IG to the wider business stakeholder community. An IG narrative should effectively convey a balance between an ability to execute rooted in technical reality and the completeness of vision supported with compelling storytelling. (See Figure 1) Answer these questions to approach it as an internal marketing campaign: Who is your target audience? (C-Level, Business Stakeholders, IG personnel) What behavior and perceptions need to be changed? (Greater support, improved compliance, on-going funding) 1. STABLISH AN ACCESSIBLE VOCABULARY

Go beyond the legacy lexicon of the enterprise data management space.

(See Figure 2). Concepts such as “cleansing” or “freshness” may be important, but they are hardly holistic and rarely strategic. Most “data hygiene” exercises are ad-hoc, campaign-based projects isolated to a siloed use case. Use strategic terms like structure, standardization and common definitions. (See Figure 2) Answer these questions to avoid tactical technical terminology:

• What is the terminology and nomenclature used in the enterprise and industry vertical? • What is the most granular business relationship? Customer, account, client, store, door, consumer? • What terms are used to describe hierarchy relationships, customer segmentations and market geographies? • How does IG grow, improve



Technical Cleanse / Append Hygiene Internal Proprietary Terminology Ad-Hoc Projects Transactional Silos Vertical Opportunistic Features

Business Structure / Foundational Integration / Interoperability Market Terminology Continuity Program As-a-Service Enterprise Horizontal Holistic Benefits

Figure 2 Examples and comparison of tactical versus strategic vocabularies INFORMATION GOVERNANCE WORLD



To win over Business Stakeholders, IG Leaders must create a compelling narrative that builds urgency, reinvigorates enthusiasm and aligns with the strategic intentions of the Enterprise. ” and protect the business? • What is the IG program called? Does it resonate and build excitement with the Business Stakeholders or is it just the name of the software platform? 2. HARMONIZE TO A COMMON VOICE Share and propagate the narrative. Create a short, standardized overview or “elevator pitch” about IG. Avoid in-depth technical explanations. Use simple business language. Focus on results and benefits instead of process steps and features. Answer these questions: • Where has IG already made a difference? • What typical pain points can IG relieve? • What major initiative and strategies relate to business relationships (customer, vendor, partner, prospect) or enterprise entities (product, brand, asset, service, offering)? Create a collection of business success stories from collaborative partners in sales, marketing, financial, analytics and operations. Tie these anecdotes together with the common motif of IG as an enabler. Share these stories on a regular basis across your stakeholder community. 3. ILLUMINATE THE BUSINESS VISION The need for IG has never been 54


greater. The convergence of social, mobile, cloud, and information patterns is driving new business scenarios within the macro-trend of Digital Transformation. This transformation unlocks untapped value, innovative experiences and disruptive business models. In a digitally-transformed organization, data moves seamlessly from workflow to workflow and between external partners. Users can spend their time improving the relationship experience rather than questioning the data. Part of the challenge is that IG on its own has no distinct value. It must enable other efforts. Only the rare CEO cares about data quality. But every successful CEO is passionate about customers and business relationships, as well as the quality and satisfaction engendered from products, brands, services and offerings. To identify the connections between IG and strategic initiatives, locate and rigorously review strategy documents presented by business leadership (i.e., investor day presentations, annual reports, employee newsletters, or other declarations of company intentions). Determine the role IG plays in those efforts centered around business growth, operational efficiency and risk mitigation. IG Leaders must develop a strong narrative in order to win the hearts and minds of Business Stakeholders. Data storytelling is a critical soft skill for anybody trying to reinforce the strategic value of IG. Without a story that resonates with the

business, IG risks being relegated to an internally-focused, clerical, back office, data cleansing exercise. Cutting through the cacophony of technobabble and false promises is crucial for IG success. Storytelling is alive and well in many parts of most organizations. Seek collaboration from storytelling experts in Sales, Marketing, Enablement and Corporate Communications. Anchor the narrative in reality. Despite the claims of many vendors, Customer 360° cannot be bought off the shelf. It must be built. There is no “silver bullet” for a “golden record.” An overarching IG program manages one of an Enterprise’s most important assets: Data. IG manages the codification and standardization of relationship types and business entities. IG enables mission critical priorities and provides the foundation for any sort of digital transformation. Explain that to your Business Stakeholders and your IG story can end “happily ever after.”



Content Analysis



n today’s business environment, businesses are increasingly affected by external forces: privacy regulations, like the California Consumer Privacy Act (CCPA) are bringing data privacy and protection issues to the fore; the continued explosion of content stresses IT capacities; an evolving workplace and workforce forces new management thinking; and the changing IT landscape requires new modernization strategies. Addressing any of these is a daunting challenge for any organization, but it’s important to point out that the common thread among them is content. If we can understand, manage, and use our content to improve compliance, governance, and process automation, we can better address each of these forces. All organizations, no matter their size, should be thinking about how they can clean, modernize, govern, enrich, and automate their content. Content needs to be actionable, searchable, and available to today’s workforce. But, where do you start? Embarking on a content journey depicted below will address the driving forces mentioned above, allow organizations to take advantage of best-of-breed SaaS (software-as-a-service) offerings, and provide the workforce with the right tools and content when and where they want it. Such a journey can begin at any point in the cycle, but most organizations will find that beginning with content analysis affords the best starting point. Content Analysis: Gaining an understanding of what you have, where you have it, and what the risk is provides a valuable foundation upon which all other activities along the journey can benefit. Content Cleanup: Eliminating risk and ROT (redundant, outdated, and trivial content) in the early stages allows organizations to mitigate the risk of unsecured sensitive data and focus on the content of value.



Process Automation

Content Enrichment

Content Cleanup

Platform Modernization

Platform Modernization: Moving to cloud content services and upgrading taxonomies and content architectures are examples of this. Modern approaches like these allow you to do more with, and get greater value out of, your content of value as well as automate the disposition of ROT. Process Automation: Optimizing processes and extracting metadata to make content actionable should be priorities for any content journey. Investments like these can impact the bottom line, improve supply chains, enhance customer relationships, and more. Here are a few tangible steps you can take today to get started: Develop a content profile for your organization – A good content profile helps you understand what you have, where it exists, and who has access to it. It should look at all unstructured data across file shares, SharePoint sites, cloud storage, and other repositories. This will provide a good understanding of areas of risk (e.g., regulated, private, unsecure) as well as content that has no value.

Inventory your systems – It is critical to inventory and understand what applications are using your content, what applications are creating content, and how those systems are being accessed (e.g., internally, via mobile, via the web).


Business strategy – Consider the impact that content will have on your digital transformation and how your business could support, or hold back, your plans for efficiency and engagement.

A content governance and automation journey is just that: a journey. ” Bring in expertise – Efforts like these can often go faster and more efficiently when outside experts are brought in. Proven methodologies, templates, and proprietary tools can all be brought to bear to help get it right the first time around. Final word: A content governance and automation journey is just that: a journey. Proper time and commitment to planning, architecting, and providing governance controls to all your content along the way is essential. Organizations must have the mettle to properly maintain the content of value and delete content when its useful life has expired. SCOTT BURT IS PRESIDENT & CEO OF INTEGRO, AN AWARD-WINNING TECHNICAL CONSULTANCY HE CO-FOUNDED IN 1995 WHICH HELPS ENTERPRISES CONFRONT THE EVOLVING CONTENT LANDSCAPE WITH MODERN SOLUTIONS FOR IG AND CONTENT SERVICES. SCOTT IS AN EXPERT IN IG AND ADVISES COMPANIES AT ALL STAGES OF THEIR CONTENT JOURNEY. HE SPEAKS REGULARLY AT INDUSTRY EVENTS ON TOPICS SUCH AS CONTENT CLEANUP, CONTENT PRIVACY, EMAIL GOVERNANCE, AND AUTO-CLASSIFICATION. CONNECT WITH SCOTT ON TWITTER AT TWITTER.COM/INTEGROBURT AND ON LINKEDIN AT LINKEDIN. COM/IN/SCOTTBURT.

NEW 2020 CUSTOMERS’ CHOICE FOR CONTENT SERVICES PLATFORMS BY GARTNER Gartner recently announced its Best Content Services Platforms of 2020, as reviewed by verified customers through its Peer Insights Customers’ Choice series. Gartner Peer Insights is a robust enterprise IT product and service review platform that hosts more than 255,000 verified customer reviews across 355 defined markets. In markets where there is enough data, Gartner Peer Insights recognizes the vendors that are the most highly rated by their customers through the Customers’ Choice distinction. Peer Insights Customers’ Choice does not include an expansive vendor listing or proprietary graphic to help organizations select the best tools. Rather, it provides reviews that go through a strict validation process to ensure they are authentic and professional. Gartner Peer Insights are meant to be a complement to its expert-led research reports. The reviews are available here. Laserfiche Earns the Highest Average Score Laserfiche’s Content Services Platform (CSP) received 129 verified reviews, with the highest average rating of 4.7 stars. 76 percent of its reviews were 5 stars and 22 percent were 4 stars. Laserfiche’s closest competitors are Adobe and Microsoft, which both earned an average score of 4.6 stars. Laserfiche was also named a challenger in the 2019 Gartner Magic Quadrant for Content Services Platforms. Microsoft Received the Largest Number of Reviews Microsoft’s Office 365 earned 704 verified reviews, netting an average of 4.6 stars. 63 percent of those reviews were 5 stars, while 34 percent were 4 stars. The solution is recommended for those who have an investment in Microsoft, but some reviews say that clients have to use products in addition to SharePoint to round out its CSP features. The solution is enabled via a unified cloudbased platform that includes AI capabilities for content insight and process automation. Adobe received the second most reviews with 309, followed by Laserfiche at 129, and Box at 106. Gartner Recommends Using Customer Reviews to Supplement Vendor Evaluation Where Gartner’s Magic Quadrants are aimed at helping organizations identify vendors to keep tabs on in the overall marketplace, peer reviews are driven only by customer feedback based on specific experiences relative to unique technology environments. It is best to utilize all the tools at your disposal when assessing data center backup and recovery solutions. INFORMATION GOVERNANCE WORLD




t is coming and it is big news. If you haven’t heard about Project Cortex by Microsoft, then hold on to your seat because your world of business knowledge is about to change drastically. Microsoft has announced the public release by mid-year 2020 of what it describes as the fourth pillar of (previously Office 365) Microsoft 365: Project Cortex. At the AIIM2020 Conference in Dallas, I spent an hour with two senior product managers from Microsoft, Chris McNulty and Rebecka Isaksson. What I found special about Cortex is its ability to manage and protect content with AI using built-in security and workflow. Cortex has the capability to learn and train models to recognize your business data using a content center as a ‘hero destination’ with reusable web parts for retrieval, organization, and management. “Project Cortex is Microsoft’s commitment to reinvigorating a category of knowledge,” states Chris McNulty, Microsoft Senior Product Manager. “Essentially, Project Cortex lets you build your knowledge network on Microsoft 365.” “Project Cortex takes advantage of our search technology to reach out and index remote content like file shares, on premises, environments, wikis and things like that.”

“First, we build out the infrastructure of 365,” Chris explains, “along with taking advantage of our surf technology to be able to reach out and index remote content like file shares, on premises, environments, wikis, and things like that. Second, we use AI and skill technology to be able to classify information coming in, including video and audio files, pulling text and objects for documents with structured and unstructured data. The content is then broken down and pulls key facts, figures, numbers, and details to add as tags to the content. This precision tagging of the content opens up situations for workflow, for search and compliance.” Cortex allows for the functionality to “Extract & Classify Unstructured Content” including forms, documents, images, audio and videos. 58


I asked Microsoft Senior Product Manager, Rebecka Isaksson, to help me understand the term “no-click search.” Rebecka responded, “One really different, important differentiator from traditional knowledge-management systems is that it (Cortex) brings the content and knowledge into contacts on the app that you are working in right now. I wouldn’t say it’s completely eliminating the need for an end-user to search but it is definitely changing it more to make it a push rather than a pull. This has been one of the major obstacles of any ECM (enterprise content management) solution which is how to find the right stuff and how much time do I have to spend to find it.” Understanding the importance of this critical functionality by delivering essential knowledge to the corporate workforce, one can easily see how Project Cortex will not only reduce searching in general, but allow us to more easily navigate across documents, people, and conversations in a more exhaustive and relevant manner when we do search. “The Cortex Knowledge Center is a game changer,” declares Joel Oleson, an MVP and Microsoft Regional Director, and Director at Perficient. “It is an automatic organizational Wikipedia of knowledge retrieval in the productivity apps I use every day with “no-click search” of topics. I love the center of knowledge derived from the content. I feel like it is unlocking

hidden knowledge and keeping me closer to what is actually happening not only on my projects and clients, but what the rest of the company is doing.” Project Cortex will allow each business to discover themselves in ways they’ve never thought possible. Partners and vendors will be able to ask, “Where is your organizational knowledge?” and then help each business more easily integrate those systems into the productivity tools they use daily. Cortex will allow integration like never been seen or thought possible before. Every company has structured data and business processes; Project Cortex gets to the heart of these processes and enables companies to move mountains, break down silos, and connect people to projects, processes, and data. Having knowledge is one thing; delivering and utilizing it is another. For the first time in the digital age, we can empower people with useful knowledge

and expertise while working with the apps they use every day. Project Cortex can automatically connect and organize knowledge across teams and systems. You will be able to mine within M365 and other connected data to curate organizational topics, allowing you to automate the extraction of metadata and map your taxonomies. “If HP knew what HP knows, we would be three times as profitable” by Lewis E. Platt Chairman and CEO of Hewlett Packard I agree with Lewis Platt, former CEO at Hewlett Packard, on the importance of not only having corporate knowledge, but also delivering and using this knowledge to help increase profitability. “If HP knew what HP knows,” he states, “we would be three times as profitable.” Currently, Project Cortex is in a

private preview phase. Organizations wanting to participate in a private preview of Cortex, Microsoft’s emerging “knowledge network” for Microsoft 365 users, can now check their qualifications against Microsoft’s rather strict participation criteria. Project Cortex will affect how everyone in an organization understands and uses corporate intelligence or business knowledge. It is called the Power of Enterprise Knowledge, or PEK. From compliance and security, to business automation, to insights and search, Project Cortex provides a fresh approach to integrating AI and connecting records systems with productivity and automation directly in the tools people use every day. Imagine what this means for you, a lawyer, a doctor, or a stock trader. M365 and Project Cortex will provide the tools to help you do business better. INFORMATION GOVERNANCE WORLD



AI ASSISTING DOCTORS WITH COVID-19 COVID-19 has undoubtedly changed the way we live and work in a short amount of time. Artificial intelligence (AI) has helped society in many ways, and now AI is being put to use to help doctors find patients with COVID-19 sooner. AI technology in China is doing this in several ways. According to a report from The Star, researchers at Huazhong University of Science and technology in Wuhan claim an AI tool achieves a 90% accuracy rate on survivability by analyzing blood samples. The article further states that AI is being used to compare chest scan images to distinguish between COVID-19 and other strains of influenza. While this information is helpful, it is up to the physician to make the determination on how to react to the data, so AI is not solely deciding who receives treatment and who does not. Google acquired a company called DeepMind in 2014 that is being used to find proteins associated with COVID-19. What would have usually taken months takes much less time due to deep learning and machine learning technology according to the article on thenextweb.com. Further, some sites are collecting data that could be used by AI to help with future pandemics. Google has a COVID-19 page at google.com/covid19/ that provides data and insights on confirmed cases throughout the world. Is it possible that AI in the future will be ready to help us fight global pandemics sooner? As stated in an article on Bruegel. org, AI technology is not fully utilized or mature enough to truly help in an expanded way globally. Hopefully, AI tech will be in place to help us address the next global pandemic and hopefully end this one sooner than later.




INSIGHTS INTO THE AI TECHNOLOGY FACEBOOK USES BEHIND INSTAGRAM EXPLORE More than a half billion of Instagram’s roughly users visit Instagram Explore monthly to discover photos, videos, livestreams, and Stories. The AI-based recommendation engine — which sorts through and curates billions of content sets that appear on Instagram— faced huge technical challenges as it had to scale massively to operate in real-time. Facebook recently revealed the inner workings of Explore. It uses a three-part ranking funnel, which was designed with a custom query language and modeling techniques. The ranking engine extracts about 65 billion features and makes 90 million model predictions every second! Now that is performance. The Explore development team developed tools to conduct large-scale experiments and obtain strong signals on the breadth of users’ interests before they began building a content recommendation system. The first of the tools was IGQL, a meta language that could scale well. IGQL is both statistically validated and high-level, which allowed engineers to write recommendation algorithms in a “Python-like” fashion. And it complements a component that helps identify topically similar profiles as part of a retrieval pipeline that focuses on account-level information. To predict the most relevant content for each person, a lightweight ranking distillation model preselects candidates before passing them to more complex ranking models. Then, leveraging knowledge from the more complicated models, the simpler model tries to approximate the main ranking models as much as possible via direct (and indirect) learning. But there were age-appropriate considerations needed: Signals are used to filter out anything that might not be eligible (safe and appropriate). Algorithms detect and filter spam and other content, typically before an inventory is built for each user. Facebook says that over 99% of child nudity and exploitation posts were deleted over the past year.

For more information about becoming a Certified Records Manager or Certified Records Analyst contact (518) 463-8644 or visit www.icrm.org




EUROPEAN CENTRAL BANK CONSIDERS DIGITAL CURRENCY WITH PRIVACY PROTECTIONS The continuing digitalization of the global economy is providing growth opportunities, but also challenges. Bitcoin is trading at less than half of its peak price in late 2017, when it reached almost $20,000. Facebook is trying to launch its Libra “permissioned blockchain digital currency,” which today only exists as experimental code, written in Open Source Rust language. And now the European Central Bank (ECB) is considering the timing and logistics of a potential central bank digital currency (CBDC). When there are multiple digital currencies available, some may collapse while others thrive, but the ECM cannot afford a failure, so the stakes are high. What they are working on is a novel concept. The approach revealed recently in an ECB report is to issue “anonymity vouchers” to provide CBDC users some privacy protections in their retail transactions. This approach attempts to balance the need for privacy protection with the ability for regulators to maintain anti-money-laundering (AML) enforcement. The vouchers are “time-limited” and will be released in limited batches by the AML Authority. The ECB hailed its new approach as evidence that privacy concerns and regulatory demands can coexist in a CBDC. The anonymity vouchers would provide a privacy shield of sorts. They would be issued to account holders at regular intervals, regardless of their account balances, and then could be redeemed on a one-to-one basis. Under the proposed CBDC approach, if Trevor wants to anonymously send CBDC tokens to Sophie, Sophie must hold the equivalent number of anonymity vouchers. The anonymized transactions would skip reviews from the ECB’s proposed AML Authority, the intermediary reviewing all transactions. However, if Sophie does not have enough vouchers, she cannot complete the anonymous transaction. The ECB said vouchers cannot be transferred between individuals, and anonymous vouchers, “are simply a technical tool used to limit the amount of CBDC that can be transferred anonymously. This means that limits on anonymous CBDC transfers can be enforced without recording the amount of CBDC that a user has spent, thereby protecting users’ privacy,” the report states. Many questions still remain: How will parties know how many vouchers are available on the other end? What transactions are needed to be done anonymously? For what business purpose? Will these transactions be free of AML regulatory scrutiny? What are the criteria for the number of vouchers an entity receives? Will this mean that wealthy individuals will be able to mask their financial dealings? Set up multiple accounts through shell businesses to be able to conduct large transactions anonymously, through a series of small transactions? Time will reveal the answers to these questions; and we all know that digital criminals are already devising ways to game the new CBDC system. 62



Fintech has emerged as one of the fastest growing sectors in the financial services industry and has radically disrupted traditional banking. However, it has become clear that for both to thrive, the culture between fintech and incumbent firms must change from one of competition to collaboration. The Financial Services Guide to Fintech looks at this trend in detail, using case studies of successful partnerships to show how banks and fintech organizations can work together to innovate faster and increase profitability. Written by Devie Mohan, an experienced fintech advisor and influencer, this book explains the fundamental concepts of this exciting space and the key segments to have emerged, including regtech, roboadvisory, blockchain and personal finance management. It looks at the successes and failures of bank-fintech collaboration, focusing on technologies and start-ups that are highly relevant to banks’ product and business areas such as cash management, compliance and tax. With international coverage of key markets, The Financial Services Guide to Fintech offers practical guidance, use cases and business models for banks and financial services firms to use when working with fintech companies.



FINTECH STARTUP PORTIFY RAISES $9.1M FOR ‘GIG ECONOMY’ APP Portify, the London fintech startup that offers an app and various financial products to help gig economy and other modern, flexible or “self-employed” workers better manage their finances, has raised $9.1 million (£7 million Sterling) in Series A funding. The round, which comes a year after the company raised £1.3 million in seed investment, is led by Redalpine (an early investor in N26, Taxfix, Finiata, amongst others), with participation from existing investors Kindred and Entrepreneur First (EF). Founded in May 2017 by EF alumni Sho Sugihara (CEO) and Chris Butcher (CTO), Portify has set out to help address the financial volatility many modern workers face, especially those who take part in flexible work or the so-called gig economy, or are self-employed in other sectors such as tradespeople or those in the creative industry. The startup offers a number of tailored financial products, accessible via its mobile app, in addition to using Open Banking to provide financial insights into your current financial status and income, and help with short and long-term financial planning. However, until recently, the go-to-market strategy was primarily a B2B2C play — via partnerships with various gig economy platforms, such as Deliveroo. That’s now expanded to B2C. “If you weren’t working for a select partner platform, you couldn’t access the app,” says Portify co-founder and CEO Sho Sugihara. “We did this because we wanted to make sure we were 100% focused on our target modern worker persona, and helping to financially include them. But once we started working closely with our initial users, we realized that while being modern workers, many of them also fell into the ‘credit invisible’/thin file segment, lacking access to basic financial products. Sugihara says that while many thin-file modern workers do work with gig or temporary staffing platforms, the fintech startup also saw that many do not, or they switch work platforms frequently with gaps in between. This includes sole traders or those in employment but temporarily looking to top up their incomes. “To make sure we fulfill our mission of financially including all thin-file modern workers, we felt it important we make our app as accessible as possible,” he explains. “In practice, this means that users can download the app directly off app stores now.” Meanwhile, Portify says it will use the new funding to offer credit building and personal loans for “micro-business use.” It already launched credit services in the app earlier this year. “Our revolving credit line caps out at £250 today,” says Sugihara. “We plan to increase this amount to higher values for a select cohort of our users: £500-1,000. Many modern workers are essentially tiny businesses/sole traders and face issues that any SME would face, like fluctuating earnings and turnover. While there are many products out there serving cash flow issues for large SMEs, our modern worker segment is extremely underserved. They fall somewhere between a consumer and business in the eyes of incumbent financial institutions who don’t really know how best to serve them. We see a big opportunity there, and are going after it.” At the same time, Portify has begun working with the major credit bureaus to report the data produced by its app—with a user’s consent, of course—to help improve credit scores. “Being credit invisible is a big pain point for modern workers,” adds the Portify CEO.

The emerging financial technology (“FinTech”) industry has been expecting some new U.S. legislation that might tilt the market in their favor, however, with privacy concerns looming, FinTech is collectively holding its breath. In mid-2019, Facebook announced a planned cryptocurrency, Libra (a new “stablecoin” a subset of cryptocurrency), which changed the FinTech industry’s focus from pressing hard for beneficial bills to steering away from measures aimed at regulating Facebook’s aggressive commerce plans, and some different proposals have been circulated. But in 2020, most Fintech legislative observers expect and hope for status quo, although some federal privacy legislation may happen. Proposals like a bill from Rep. Sylvia R. Garcia, D-Texas, that would have regulated Libra as securities were only modestly amended, a positive sign for the FinTech community. But industry pundits expect to see more measures aimed at discouraging Big Tech from moving onto Wall Street’s turf than those doing the opposite. Some proposals with names like the “Keep Big Tech Out of Financial Services Act,” have circulated. Jonah Crane, a former Treasury Department staffer who now advises fintech firms stated, “I don’t see high odds that those kind of bills will go anywhere, but they are the kind of bills that, if they start to get momentum, could be hard to stop because of the general antipathy towards Big Tech these days.” But even if bills like that make it to the House floor, they would likely stall in the Senate. “Betting on congressional inaction has sort of been a relatively safe bet for a while,” said Crane. “But there are a handful of small things that seem like they could happen.” The fear that Big Tech companies like Google Alphabet and Facebook will venture into banking is largely motivated by the sector’s spotty record with data privacy. Congress—and the public—has increasingly become more concerned that Silicon Valley is violating users’ privacy rights, by tracking users’ every online move, and then leveraging that data to manipulate users’ online use, buying decisions, and even political stances (remember Cambridge Analytica?). INFORMATION GOVERNANCE WORLD



April 23, 2020 (3-D Virtual Event) The IG and Infonomic$ Summit continues IG World’s event series designed to educate and inform participants about infonomics and the value of data. This Summit will be a unique 3-D virtual experience. Attendees will be able to create their own avatar. Attendees will be able to ‘walk’ around the reception area – with their custom-created avatar - and greet others with a virtual handshake. They can also speak directly to them, and participate in small group discussions, just as they would when entering a conference. Then they can walk into the main auditorium where they will be automatically seated and muted while waiting for the sessions to begin. After the presentation(s), attendee avatars can clap, cheer, and even dance! During breaks, attendees can walk to the offcampus beach where they can watch fireworks, or go to a soccer field where they can kick the ball around. The Summit features authors Doug Laney (Infonomics) and Robert Smallwood (Information Governance: Concepts, Strategies and Best Practices) along with presentations by CEOs Glen Day (NVISNx) and Neil Calvert (LINQ) and KPMG’s Director of Cybersecurity Services Rich Kessler. Come join us for a unique virtual experience and find out how to get more value out of the data you already have! https://infogovworld.com/virtual-eventregistration-april-23/


May 4-6, 2020 (Virtual Event) The MER Conference is still going strong! Originally scheduled to be held in Chicago, the coronavirus outbreak has caused the Conference to switch to a virtual format. The 28th annual MER Conference will focus on the legal, technical and operational aspects of Information Governance and the management of electronic records. It is designed to be a collaborative learning experience which empowers leaders with insights, connections and resources to effectively lead IG and eRIM projects. This year’s keynote speaker is Catherine Casey of Disco. Breakout sessions include: Achieving your 20/20 Vision for Information Governance, The Information Governance Value Proposition, Governing Information Ethically – It’s Risky Business!, Information Governance: People, Process and



Technology, The Hitchhiker’s Guide to IG, and The State of Information Governance 2020 presented by Robert Smallwood. The closing keynote features J Trevor Hughes, the President of IAPP who will speak on the History and Future of Privacy. The MER Conference attracts progressive decision-makers and organizational influencers from companies large and small. Come join the fun and met up with your colleagues who work in Information Governance and records management!


May 6 (New York) The CDO Summit addresses the challenges and opportunities arising from AI, big data, the cloud, digital disruption, and social and mobile media. This year’s speakers include Bruno Kurtic, co-founder and VP of Product Strategy at Sumo Logic, Ira Rubenstein, CDO of PBS, Keyur Desai, former CDO of TD Ameritrade, Krishna Cheriath, CDO of Bristol-Myers Squibb, Ory Rinat, Chief Digital Officer of the White House and Stephanie Trunzo, GVP of Transformation at Oracle. The CDO Summit offers data/digital strategists and practitioners an intimate, collegial and supportive environment designed to encourage networking, learning, and knowledge-sharing. The Summit is hosted by the CDO Club which is the world’s first, largest, and most powerful community of C-suite digital, data, analytics, and cyber-security leaders. The CDO Club has partnered with IDC to provide strategic leadership development and timely insights and comprehensive guidance for research needs in digital, data and analytics. The CDO Club enables members to share experiences, best practices and stay on top of the rapid changes taking place in market dynamics. Its 5000+ members include seasoned leaders with experience in digital transformation and data-driven culture. This year’s New York CDO Summit will be held in on the Columbia University campus. http://nyc.cdosummit.com/ What to do in New York New York City is full of iconic places to visit. Attractions include the Statue of Liberty, the Empire State Building, Wall Street, Broadway, the 9/11 Memorial and the One World Trade Center Observatory. Visitors who want to see the city from a different vantage point can take a New York Harbor cruise. Rockefeller Center is an Art Deco skyscraper and the view at the Top

Central Park, New York

of the Rock is like no other. Central Park is a wonderful place to relax and get away from the crowded city streets. Among the famous museums, two that stand out are the Museum of Modern Art where you can see works by Van Gogh, Picasso and Warhol and the Metropolitan Museum of Art (the Met) where you can explore a global perspective of art history. https://freetoursbyfoot.com/things-to-do-innew-york-city/


May 21-22, 2020 (Toronto) The International Association of Privacy (IAPP) Canada Privacy Symposium will help you find answers to your privacy questions. Keynote speakers include Michael Geist, Un University of Ottawa Law Professor, and Daniel Therrien, Privacy Commissioner of Canada. The Commissioner’s Game show is back again by popular demand. The daily sessions will feature speakers and panelists who are experts in Canadian data protection. Session titles include Introducing MyData, a human-centered approach to personal data management that combines the industry’s need for data with digital human rights and Understanding the Use of AI in Chatbot and Key Risks. This year the IAPP will introduce the Inaugural Ian Kerr Memorial Lecture to honor Dr. Kerr’s legacy advancing the growth and visibility of the Privacy Profession in Canada. The Symposium returns to the Metro Toronto Convention Centre which has been reconfigured for added convenience, including the addition of a new breakout room. https://iapp.org/conference/iapp-canadaprivacy-symposium/ What to do in Toronto Toronto is the capital of the province of Ontario, and has a population of 2.7 million people. The city is located on

the northwest shore of Lake Ontario which offers visitors opportunities to visit beaches—try Toronto Island for a fun excursion—and participate in watersports recreational activities. One of the popular tourist activities is a day trip to visit Niagara Falls. Another fun activity is the Hockey Hall of Fame Museum. Folks who like to see things from high in the sky should plan a trip to the top

Niagara Falls, Toronto

of the CN tower for lunch with a view of the spectacular Toronto metropolis. The tower features a glass floor section which providers the brave souls who venture out onto it the opportunity to look straight down 1,122 feet to the ground below. https://www.tripadvisor.com/Attractionsg155019-Activities-Toronto_Ontario.html


July 7-11, 2020 (Denver) The National Association of Government Archivists and Records Administrators (NAGARA) is the preeminent professional association dedicated to the improvement of federal, state, and local government records and information management and the professional development of government records administrators and archivists. The theme for this year’s annual conference is “Mining our Past, Engineering our Future”. The theme ties into the history of Colorado and also parallels the work NAGARA members do as government information professionals. As the conference website states “We mine the past through making government information accessible and learning about professional best practices to replicate at our institutions. We engineer our future by providing a bridge between the public and government and working to ensure our organizations adapt to the changing information landscape.” The 4-day conference features 25 breakout learning sessions, access to dozens of vendors and industry experts

and two networking receptions. This year’s event will be at the Embassy Suites in downtown Denver. https://www.nagara.org/AnnualConferences Downtown Denver

What to do in Denver Denver is the Mile-High City. The Colorado State Capital stands at exactly 5,280 feet above sea level! The Capital’s rotunda offers a panorama of snowcapped peaks. The Brookings Institute ranks Denver as the fourth most walkable downtown in the nation. There is a free shuttle bus on the 16th Street Mall that takes you to popular places like Union Station and the LoDo Historic District. The LoDo (Lower Downtown) District is Denver’s happening place. The historic warehouses are now home to 90 brewpubs, sports bars, restaurants and rooftop cafes. The Denver Art Museum has the world’s greatest collection of Native American art and 68,000 other objects including works from European masters and Old West classics. Elitch Gardens Theme & Water Park is the only downtown theme park in America. It is really two parks in one: one part offers 53 three rides including looping roller coasters and the other side is a wet ‘n’ wild water park. The Buffalo Bill Museum tells the exciting story of Wild Bill Cody. The Colorado Railroad Museum has a collection of more than 100 narrow gauge and regular gauge locomotives, cabooses and cars. https://www.denver.org/things-to-do/denverattractions/must-see-denver/


Aug 17-18, 2020 (San Diego) The Transforming Data with Intelligence (TWDI) San Diego Strategy Summit for Analytics is designed for executives, directors and C-suite leaders to learn, develop and prepare for the year ahead. Analytics is now an essential element of a successful business strategy. Company leaders need to know how to measure performance and predict future outcomes. This two-day event includes a roundtable discussion of the transformative benefit of an analytics practice, multiple case studies on digital transformation and data strategies, as well as a panel discussion followed by a Q&A session. The intensive thought leadership sessions will show attendees where to start and how to plan for the future. Attendees will come away with an action plan and reference material to help drive their analytics initiatives. The second day’s agenda includes a session on tools, technologies and platforms which will provide attendees with the information they need to initiate new analytics projects within their companies. The final session will be a workshop followed by a closing roundtable discussion. Attendees will then have the opportunity to network with sponsors at the post-event reception. https://tdwi.org/events/strategy-summits/ san-diego/home.aspx What to do in San Diego San Diego is known as America’s finest City. Located on the Pacific coast, San Diego has a Mediterranean climate. The average temperature in April is 68 degrees. Visitors can explore San Diego’s historic Old Town which features many authentic Mexican restaurants. The Point Loma lighthouse has sweeping views of the Pacific Ocean and US Navy installations in San Diego Bay. The Gaslamp district offers many opportunities for nightlife entertainment. https://www.sandiego.com/attractions

Gaslamp District, San Diego




1-2 6 9 22-26 23 28 30

ABA Institute on eDiscovery changed to virtual IAPP Global Privacy Summit 2020 (Washington DC) Canceled HFMA Spring Conference Virtual Event SAA 85th Annual Meeting (Austin) Canceled IG and Infonomic$ Summit, 3-D Virtual Event RIMPA International Summit Global Eyes on Information (Canberra) postponed The Sedona Conference Working Group 1 Mid-Year Meeting (Phoenix)

May May May May May May May May May May May May May May

4-6 4-6 6 6-8 12-13 12-13 12-14 14-16 14 18-21 18-20 21-22 26-28 31-Jun 3

DSF Document Strategy Forum (Chicago) moved to November 11-13th MER Conference (Chicago) changed to virtual CDO Summit (New York) Privacy + Security Forum changed to virtual DAA Digital Velocity Conference (San Diego) changed to virtual Insurance AI and Innovative Tech USA (Chicago) postponed CLOC 2020 Institute (Las Vegas) Canceled NAID & PRISM International Conference (Orlando) Canceled ISSA Cyber Executive Forum 2020 Virtual Event Imaging National Archives 2020 (Washington DC) decision pending Women in eDiscovery 2020 Conference (Austin) postponed IAPP Canada Privacy Symposium 2020 (Toronto) still on as of 3/25 HIMSS Europe & Health 2.0 (Helsinki) moved to September 7-9 SCCE 2020 Higher Education Compliance Conference (Lake Buena Vista)

June 1-3 June 1-3 June 8 June 8 June 8-12 June 9 June 15 Jun28-July 1

ARMA Canada Live 2020 (Winnipeg MB) decision by March 31st ILTANet LegalSEC Summit 2020 (San Antonio) ARMA Leadership and Development Conference (Seattle) The Sedona Conference Working Group 6 International Meeting (London?) Data Governance & Information Quality Conference (San Diego) postponed 2020 ISSA Chapter Leaders’ Summit (Denver) ILTA LegalSEC Summit 2020 (San Antonio) HFMA Annual Conference (San Antonio)

July July July July

7-11 8-11 19-20 20-22

NAGARA Annual Conference (Denver) Society for Corporate Governance 2020 National Conference (Colorado Springs) ARMA Leadership and Development Conference (Omaha) IIA 2020 International Conference (Miami)

Aug Aug Aug Aug Aug Aug Aug Aug

1-6 2-3 2-4 6-9 15-21 17-18 23 31-Sep 2

Blackhat USA 2020 (Las Vegas) ISSA Cyber Executive Forum (Las Vegas) NIRMA 44th Annual Nuclear Information Records Management Conf (Summerlin) DEF CON 28 (Las Vegas) IFLA 86th World Library and Information Congress (Dublin, Ireland) TWDI Analytics Strategy Summit (San Diego) ITLACon 2020 Annual Education Conference (Nashville) WBR Digital Transformation Connect (Rancho Bernardo)

Sep 13-16 Sep 28-29 66


SCCE 19th Annual Compliance & Ethics Institute 2020 (Grapevine TX) Big Data 2020 (Toronto)

Note: events highlighted in yellow have write ups in Trade Show Section

Protect the Jewels

Secure Business Critical Data Across the Enterprise ‌less than 1% of world data is analyzed ‌less than 20% is protected

Automated data scans for continuous tracking

Purge the Junk

Save $Ms by Disposing of Useless & Toxic Data Across the Enterprise Storage May Be Cheap To Buy, But Not Cheap To Own ~80% of corporate data has no business value

Automated data scans for continuous tracking




Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.