Building Out Your Information Governance Program - The Business Case
Businesses today produce an exhausting amount of data. One recent IBM study pegs this number at about 9.5 quintillion pieces of data per day, far outstripping the rate of data production over the past decade. That’s a lot of information to keep track of. The average business tends to struggle to understand what exactly is in all that data. Unstructured data (files, media, and emails) is not organized in databases making it difficult to search. Not knowing what is in unstructured data, or how to find it is a huge problem considering it accounts for a whopping 80% of all data owned by businesses. (In fact, dark data discovery is listed as one of Gartner’s top 10 security projects of 2019). Getting a handle on unstructured data will not only improve your organization’s risk profile, it can also drive increased operational efficiency and positively impact your bottom line. Does Information Governance sound interesting? Read on.
Accountability Can’t be Outsourced
Businesses build protection all around their data, without knowing what kind of threat could come from within. With 58% of large businesses planning to move their workloads and workflows into the cloud, their security approach will need to change. Data storage can be outsourced, but not accountability. Accounting for pertinent, litigation related, and business-sensitive electronically-stored information (ESI) will stay organizations’ responsibility, wherever they chose to move their data.
A solid information governance program is one of the most important undertaking organizations can choose in order to solve that challenge. Without one, important files will be misplaced, data will be lost, and production request responses will be slow and inefficient. Organizations that don’t take information governance seriously expose themselves to government sanctions, fines, civil liability, and loss of credibility. Just as importantly, they are also likely absorbing unnecessary costs and impacting their profitability. By taking the time to understand what’s in their data and managing it intelligently, organizations see increased productivity & revenue, and reduced costs.
Reducing Burdens on IT and Increasing Productivity
When documents are misplaced, corrupted, or inaccessible, who do users call for help? That’s right, IT. IT should be focused on highly-technical system-wide issues, not doing other people’s work. Air-tight IG programs keep IT from having to spend time & resources hunting down hard-to-find files. It also helps keep employees and executives focused on what matters most: their work.
Searching for documents and data may sound trivial, it’s a real business problem. And an expensive one. Recent McKinsey & Company research underscored this when it found that workers often spend 19% of their workweek solely on data searching and gathering tasks. This means that during the traditional five-day work week, roughly one workday is wasted on finding critical data! Organizations who address this issue can expect up to 35% improvement in organization-wide productivity. That alone is worth the trouble involved in implementing the right programs to manage documents.
Mitigating Risks Associated with Storing Older Documents and Data
An information governance program should account for the defensible deletion of older data. While this concept is often cited as a sound strategy for avoiding legal and litigation liability for maintaining outdated information, it can also be a great tactic for reducing the amount of data you have to preserve and store. This is especially true when one considers how mass data fragmentation and duplication is impacting businesses. While the Compliance, Governance, and Organization Council (CGOC) noted that companies are making progress with defensible deletion, only 33% implemented a routine data deletion policy last year. At the same time, roughly 60% of a typical organization’s data volume today contains no regulatory or legal value—just a 9% decrease since 2010. Naturally, these storage habits are pricey. Although storage costs hover around $0.25 per gigabyte for flash storage and $0.045 per gigabyte for magnetic storage[PE1], enterprises can expect to accumulate up to 50% more data year over year and up to 800% more data over the next five years. This would not only offset potential savings offered by declining storage prices but also leave cloud-bound businesses vulnerable to increased hosting costs and vendor lock-ins.
Cutting Compliance & Breach Notice Spending
Using safeguards such as end-to-end encryption, multi-factor authentication, and user & physical access controls help cut down compliance requirements depending on your sector and the type of data you collect. But these measures will not be as efficient as they could be for organizations who don’t know what their valuable data is, or who can access it. This is where Information governance programs get useful. Sometimes referred to as Data Access Governance (DAG), an effective program under the IG umbrella, ensures the right files are protected, and that only employees who should have access to it actually do (data breaches often comes from within). With the California Consumer Privacy Act (CCPA) that will come in effect in 2020 and the recently enforced GDPR, compliance budgets are set to increase by 2/3rds. This will help compliance officers to get a better understanding of the data their organization hold and strengthen the efficiency of the security measures IT is placing much efforts into.
Reducing Data Loss & Associated Costs
Defensible information governance not only helps organizations preserve chains of custody and metadata for litigation-sensitive files but also reduces inevitable blowback costs. According to Ponemon Institute, the cost of lost or stolen files containing sensitive business data or personally-identifiable information increased by 4.8% last year to $148 per file.
This amount can be reduced by $14 per capita for organizations immediately engaging their response team after an incident. Another $13 per capita can be saved when the leaked data is encrypted. An additional very important cost-saving factor is the Incident Response Policies woven into Information Governance programs. It should detail incident response strategies, comprehensive security measures, clear stakeholder roles, and be immediately retrievable so organizations can quickly make their case with authorities. It’s proof for breached organizations that they were indeed doing everything in their power to protect sensitive data. As a result, authorities tend to be less severe which drives down the cost of fines.
Organizations using defensive information governance programs benefit in ways beyond maintaining EDRM best practices. They’re enabled to do something few organizations attain: make sense of their data. Knowing what’s in it, defensibly deleting what doesn’t have value, identifying their valuable files, and knowing who has access to it makes a difference. Productivity is improved, litigation processes are streamlined, compliance risks are considerably lowered, security resources are used where they should, and profitability is protected.
About the Author: Eric Pesale is an attorney who writes about business and legal issues for various publications, law firms, and companies. His articles on eDiscovery, cybersecurity, and information governance have been featured in CSO, The New York Law Journal, Above the Law, and Lexology. Eric is the founder and chief legal contributor of Write For Law®, and is admitted to practice in New York, Connecticut, and New Jersey.