From healthcare providers to the search engine behemoth Yahoo, no company, regardless of industry or size, is immune to data breaches. With more and more news about cyberattacks and security breaches appearing in our newsfeeds each day, organizations must face the facts and invest in protecting their information before it’s too late.
Information is an asset.
Your information is valuable to you, and potentially to hackers or others who might leverage it for their benefit. Information governance (IG) balances the value of information with the risks associated with the data. It is the overarching strategy that connects the diverse disciplines that leverage organizational information. It includes the following main items:
- Data Protection
- Information Recording
- Sharing Confidential Information
- Subject Access Requests
IG has everything having to do with the formation, utilization, storage and deletion of information – whether it is a document, electronic content or any other form of record.
“If information governance is not done properly you can end up with a data breach, which is the worst case scenario,” said BJ Johnson, Access Solutions Specialist. “There are also fines and audits. Auditors come down heavy when you don’t have information properly managed.”
Audits often reveal instances where organizations have not complied with industry and governmental regulations. Failure to adhere to stringent protocols could negatively impact your organization’s reputation and have financial consequences, not to mention that noncompliance can also increase the risk of compromised or stolen data.
Regardless of your organization’s size, it’s critical that the principles of IG be applied. This may be as complex as implementing technology solutions for things like data encryption or as simple as a strong and clear policy ensuring that confidential information regarding the company, its clients or employees is not discussed on social media and is kept confidential and protected.
In a world of rapidly changing technology and an explosion of data, effective IG is needed but it also presents some challenges. Here are the top four:
1. “It’s Not a Problem Here” Mindset
The same companies that suffered data breaches – Target, eBay – probably thought the same thing. Consider these statistics from Governance and Compliance in 2017: A Real World View:
- 48% would rate the maturity of their company’s information governance policies as “poor” or “very poor.”
- 24% describe their file management as “chaotic.”
- 64% agree – “Our biggest problem is not creating IG policies, it’s enforcing them.”
- 58% agree – “Our lack of effective information governance leaves our organization wide open and vulnerable to litigation and/or data privacy issues.”
And it’s not just large companies that are targets. Small and mid-size businesses often assume that they are off the radar screen when in fact they may be even more vulnerable since they may not apply the most sophisticated IT resources and rigor in protecting their data.
IG needs to be an organization-wide priority. Treat information as an asset. Choose the proper RIM and IG policies, processes and software and train employees on the appropriate use.
2. Too Much Data
The production of information, whether personal, proprietary or public, has been growing exponentially; in the last two years alone, more data has been created than in the entire history of the human race before that time. Businesses are wrestling with information overload, the cloud, remote workforces and BYOD. Understanding where information is and what should be protected is a major challenge.
Some information is more valuable than other types. It is important an organization knows where the data is, what attributes it has and the rules that apply. “As the volume of content continues to rise, large and small enterprises don’t know what they have until it’s too late,” said Jim Farrell, SVP Products, at Access.
There are hard costs and soft costs associated with managing the tidal wave of data and enforcing IG policy. But the costs of not managing this data with a sound approach to IG can be even more costly. Large amounts of electronically stored information (ESI) can drive up storage costs, raise the costs and risks of eDiscovery and regulatory noncompliance and negatively impact employee productivity. An often overlooked part of information governance is the destruction of records, be they physical or electronic. Keeping records beyond their useful or statutory requirement date may actually raise your risk, as well as your costs. Inertia and doing nothing can cost you.
Legal compliance is challenging as it can vary greatly and changes often. It depends on the country, industry and subject matter. In today’s increasingly regulated environment, and with the recent increase in fines for Form I-9 violations, employers must ensure their hiring practices comply with stricter employment laws. Organizations that don’t could face fines anywhere from 35 percent up to 96 percent, depending on the violation.
“If large and small enterprises had HR and IT systems in place to ensure legislative compliance obligations were met, they would spend less time on mundane tasks like employment eligibility verifications, I-9s, HIPAA and PCI compliance, and certification and training requirements,” explained Farrell. He added that more time could be devoted to “Human Capital” mandates such as leadership building, mentoring and talent evaluation.
Is IG worth the struggle?
Although implementing a strategic and effective information governance strategy can be challenging, in today’s world, organizations have no choice. Luckily, the steps to develop a successful strategy don’t need to be difficult. Whether you are considering a simple approach to get started or you’re looking for a fully developed, technology-driven solution, Part Two of our blog will show you how to face these challenges head-on while reducing your risk and lowering your costs.