ILTA Masterclass: Getting your house in order

Information governance (IG) and data management

Data privacy and security

Risk mitigation and compliance

Data hygiene, retention and disposition

How can IG help prepare for AI?

Tips for in - house legal teams

www.legal-rm.com

Information governance (IG)

“IG is the specification of decision rights and an accountability framework to ensure appropriate behavior in the valuation, creation, storage, use, archiving and deletion of information. It includes the processes, roles and policies, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals.”

Source: Gartner Information Technology Glossary

www.legal-rm.com

Information governance vs. data management

• A unified IG strategy balances the value, risks, and costs across the entire enterprise

• Data management policies are at the core of a well - defined IG strategy (see IGRM diagram)

• These policies, processes, and tools manage how the organization’s data and information are handled throughout the entire data lifecycle – from receipt/creation to disposition/destruction

Source: Information Governance Reference Model (IGRM)

www.legal-rm.com

IG helps organizations avoid and mitigate risks as well as enhance value, e.g.:​

• Compliance​

• Data Privacy and Security​

• Corporate Reputation and Trust​

• Litigation Holds and e - Discovery​

• Data Hygiene for Better Decision - Making

• Cost Savings and Reduction of ROT (Redundant, Obsolete & Trivial) data

• Helps prepare for AI governance efforts

www.legal-rm.com

Source: ILTA Information Governance White Paper: Nov 2019

www.legal-rm.com

Who’s typically responsible for IG?

• Company Leadership (CEO/COO, etc.)

• Legal (Chief Legal Officer, General Counsel, etc.)

• IG/Records & Information Management (RIM)

• Risk & Compliance

• Data Privacy

• Security (SecOps)

• Information Technology (IT)

• Business Operations (BizOps)

www.legal-rm.com

Role of in-house general counsel (GC)

• Lawyer – Present/Future legal requirements in organization’s activities , geo locations , (and storage locations)

• Strategist – Understanding role of data as key asset; looking ahead to new requirements

• Collaborator – Work with all internal stakeholders; ability to find common ground

• Doctor – You know what “treatment” the “patient” can stand

• Translator – Regulatory requirements to stakeholders / client needs to vendors

• Archeologist – You know a lot about where data resides at the organization

• Engineer – Define processes that are compliant, clear, and capable of being followed by the organization

www.legal-rm.com

Role of legal operations (Legal Ops)

“Legal Ops” describes the professionals, business processes, and activities that help the lawyers focus on the legal work. Common functions include:

• Cross - Functional Alignment – collaborate with other teams, HR, IT, Finance, etc., to maximize and leverage resources across the business

• Legal Technology & Process Support – manage the delivery and administration of the tools and processes that legal teams need to get work done more effectively, automating workflows and minimizing manual effort where possible

• Vendor Manager – manage key vendors, like outside counsel, ensuring compliance with OCGs, managing 3 rd party vendor contracts, ensuring compliance with standard T&Cs, managing renewals, etc.

• Business Manager – manage the “business” of the legal department, including budgets, staffing, oversight of departmental spend, etc.

Source: Corporate Legal Operations Consortium (CLOC)

www.legal-rm.com

Poll Question #2: What is your top IG priority?

Answers:

Data privacy and security – minimizing and mitigating the risk of a data breach or security incident

Compliance – meeting legal, regulatory and customer compliance requirements

Data classification, retention and disposition – categorizing data (data mapping) , improving the quality of information, reducing ROT, reducing storage costs

Other – AI governance, access controls, etc.

Source: ILTA Information Governance White Paper: Nov 2019

www.legal-rm.com

Current data and privacy laws (not exhaustive)

Federal (U.S.)

Sarbanes – Oxley Act (SOX)

Health Insurance Portability and

Accountability Act (HIPAA)

The Gramm – Leach – Bliley Act (GLBA)

The Federal Records Act (44 U.S.C. 31)

Foreign Account Tax Compliance Act (FATCA)

Payment Card Industry Data Security

Standard (PCI - DSS)

Children's Online Privacy Protection Act (COPPA)

Federal Trade Commission Act (FTC Act)

Family Educational Rights and Privacy Act (FERPA)

Source: International Association of Privacy Professionals (IAPP)

State (U.S.)

California Consumer Privacy Act (CCPA)

California Privacy Rights Act (CPRA)

Colorado Privacy Act (CPA)

Connecticut Personal Data Privacy & Online

Monitoring Act

Nevada Privacy Law (SB220)

New York SHIELD Act

Virginia Consumer Data Protection Act (CDPA)

Global Australia’s Privacy Act 1988

Brazil’s General Data Protection Law (LGPD)

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA)

European General Data Protection

Regulation (GDPR)

India – Digital Personal Data Protection Act

UK Data Protection Act 2018 (DPA)

Mexico – Federal Law on the Protection of Personal Data

South Korea – Personal Information Protection Act

South Africa’s Protection of Personal Information Act (POPIA)

Tanzania – Personal Data Protection Act

Source: International Association of Privacy Professionals (IAPP)

Coming soon … more U.S. state data privacy laws

2024

Montana Consumer Data Privacy Act (MCDPA – eff. 10/1/24)

Oregon Consumer Privacy Act (OCPAeff. 7/1/2024)

Texas Data Privacy and Security Act (TDPSA – eff. 7/1/24)

www.legal-rm.com

2025

Delaware Personal Data Privacy Act (DPDPA – eff. 1/1/25)

Iowa Consumer Data Protection Act (ICDPA – eff. 1/1/2025)

Maryland Online Data Privacy Act (MODPA – eff. 1/10/25)

Nebraska Data Privacy Act (NDPA – eff. 1/1/25)

New Hampshire Privacy Act (NHPA – eff. 1/1/25)

New Jersey Data Privacy Act (NJDPA – eff. 1/15/2025)

Tennessee Information Protection Act

(TIPA – eff. 7/1/25)

2026

Indiana Consumer Data Protection Act (ICDPA – eff. 1/1/2026)

Kentucky Consumer Data Protection Act (KCDPA – eff. 1/1/2026)

Source: French National Commission on Informatics and Liberty (CNIL)

Cost of a data breach 2023

• $4.45 million - Global average cost

• $9.48 million - Average cost in the United States

• 27 % - breaches disclosed by the attacker, e.g., ransomware (33% discovered by internal teams)

• 204 days - Average time to detect a breach

• 74 days – Average additional time to contain a breach

• 82% - Percent of breaches that involv ed cloudstorage

Source: Cost of a Data Breach Report 2023 (Ponemon Institute/IBM Security)

www.legal-rm.com

• Customer and employee Personally Identifiable Information (PII) the costliest

• Anonymized customer data the least expensive

• D amage s to reputation and credibility can be immeasurable

Regulatory fines can also get your attention

• $170M - FTC issued a COPPA fine to online content provider for tracking minors’ viewing history for advertising purposes

• $16M – HHS settlement for HIPAA violation by insurance company that exposed health information of 79 million customers

• $1.2M – California AG settlement for CCPA violation by retailer for failing to provide consumers with opt - out mechanism

• $1.9M – New York AG issued a fine under the New York SHIELD Act for failure to notify affected consumers of a data breach

• $66M - $1.2B – Range of top 10 GDPR fines (appeals may be ongoing)

• PLUS – Damage to reputation and credibility

Question: Does your organization actually disposition (destroy) physical and electronic records when the retention period is up ? Poll Question #3: Data disposition IRL (in real life)

Source: ILTA Information Governance White Paper: Nov 2019

www.legal-rm.com

Data retention and defensible disposition

A well - designed, consistently - applied, legally - sufficient data retention policy can:

• Discovery / eDiscovery - Improve data hygiene and minimize risk - fewer places to search (especially legacy systems) means quicker and more robust discovery responses

• Litigation holds - Avoid charges for spoliation or destruction of evidence (monetary & issue sanctions)

• Minimization Mitigates Mistakes – Hackers can't get what isn't there

• Compliance - Demonstrate compliance with regulations on retention, particularly data with personal info or another’s proprietary info

• Value - data integrity and access a llow s for faster, better decision - making

• Knowledge - Promote institutional knowledge and business intelligence by keeping information in data that otherwise might be unavailable with key departures

www.legal-rm.com

• Do identify the business value for an IG strategy and educate the business leadership to gain support from the top

• Do engage the right stakeholders from across the business, i.e., Security, IT, Legal, Risk, Privacy, Records/IG, etc.

• Do plan, implement, measure, and repeat what works well; change what does not work well

• Do segment operating procedures into separate policies and associated processes

• Do require mandatory employee training programs

• Do ensure that supplier/vendor contracts include data management and information governance terms, including immediate reports of data breaches

• Do perform periodic internal and external vendor audits to test compliance

• Do require compliance certifications as needed

• Do ensure access to sensitive data is strictly limited

IG and data management

“Don’ts”

• Don’t use scare tactics. They don’t work

• Don’t treat IG as a low priority. Good c orporate hygiene and data management processes should be baked into employee behavior – like brushing your teeth

• Don’t expect IT to “own” IG. Crossfunctional teams are needed to get IG done effectively

• Don’t be a data hoarder. Retention and disposition schedules are meant to limit risk to the business

• Don’t be a perfectionist. It’s okay to take reasonable steps toward compliance

• Don’t be afraid to ask for outside help. You can get assistance from your outside counsel, consultants, technology providers, etc.

Challenges and possible solutions

Potential blockers

• Lack of budget

• Analysis paralysis / corporate inertia

• Lack of time / personnel resources

• Resistance to change / d ata silos

• Lack of internal knowledge / expertise

Paths forward

• Focus on pilot projects / quick victories

• Separate “new” information / data management efforts from old legacy data

• Build a positive business case, with input and assistance from other stakeholders

• Take preliminary steps to identify data locations/content

• Wait for institutional learning? (kidding)

How can IG help prepare for AI?

Some not - quite - complete thoughts on AI …

• Data Quality / Integrity – GIGO (garbage in – garbage out) – improve training data sets through data maps, ROT reduction and lifecycle data management

• Transparency / Classification – better documentation of source data and lineage; capable of explanation and audit; may allow for better ethical decisions and consideration of bias and discrimination in data

• Privacy/Compliance – access controls; current compliance; preparation for coming regulations, e.g., the EU Artificial Intelligence Act

• Data Security – protect data sets and systems

Sources: EU Artificial Intelligence Act ; NIST AI Risk Management Framework

Resources

Association of Corporate Counsel/eDisco, Trends in Technology and Transformation Report Corporate Legal Operations Consortium (CLOC)

Cost of a Data Breach Report 2023 (Ponemon Institute/IBM Security)

EU Artificial Intelligence Act

French National Commission on Informatics and Liberty (CNIL) Gartner Information Technology Glossary

ILTA Information Governance White Paper: Nov 2019 [requires ILTA membership] Information Governance Reference Model (IGRM)

International Association of Privacy Professionals (IAPP)

NIST AI Risk Management Framework

Any questions for our panel?

This presentation and materials provided are intended for general informational purposes only as an introduction to the subject matters covered and do not attempt to provide legal or technical advice for any particular organization or situation. There has been no attempt to present a sufficient legal or technical approach that can be applicable without your involving further legal and technical professional services to review the facts and circumstances faced by any particular person or organization. No participant or subsequent viewer or reader should act or refrain from acting on the basis of any information contained in the slide deck or from the presenters without seeking appropriate legal, technical, or other professional advice. The comments of the speakers are their own and not necessarily the views of any current or former employer.

www.legal-rm.com