For those attorneys and information governance practitioners unfamiliar with recent pedagogic advancements, “real-world problem solving” moves teaching approaches away from the classical model that assumes individuals will operate logically and in self-interested ways to a more realistic view. The more realistic view then acknowledges the powers of wishful thinking, uneven knowledge across populations, and the politics and dynamics inherent in groups (including, for our purposes, companies and other organizations). This is a challenge for individuals trying to sell outdated textbooks online; this is an improvement for people interested in actually making a difference.
Real-world problem solving is slowly but surely being accepted as the reality of information governance practice as well. This is also an improvement when there are no simple or apparent solutions. Note too that there is no time to lose; while the information people and organizations are collectively governing does not necessarily double year-over-year, it likely will between 2020 and 2024. The situation is intensely and quantitatively complex and involves many moving parts, but the solutions are not complex. That is, commonsense solutions can be the best approach for defensible practices – and can resonate best within the group dynamics that are the reality for most organizations struggling with governance projects.
As we noted in BakerHostetler’s 2021 Data Security Incident Response Report, and as specifically applied to responsible organizational management of information, there are some high-level issues that can utilize the power of heuristics in defining policy and achieving better uptake and, by extension, better practices. The education on these points as well as the reality of information governance improvements then starts with simple rules that provide a realistic philosophy that can encompass actual challenges stakeholders will encounter.
Offer discrete steps that set responsibility and can lead to outsize effects:
Personnel without “information governance,” or “IG,” in their job descriptions are unlikely to be interested in reading verbose policies and procedures on the subject. Accordingly, with IG policy, less really is more. Instead of pages upon pages of esoteric definitions and special terms, consider using a policy approach that is short and clear. Explaining the objectives of the policy in terms of the risks it seeks to manage (e.g., information security and data privacy, government sanctions), emphasizing key issues for compliance focus (e.g., confidentiality, legal obligations), and remaining flexible in the face of dramatic changes (e.g., COVID-19) will drive behavior in the right direction for the vast majority of personnel. Do not attempt step-by-step instructions for achieving perfection, which truly is the enemy of good when it comes to information governance.
When it comes to special types of information with business value that persist over time or are subject to specific legal or regulatory retention requirements, your organization may need a schedule identifying the retention periods associated with types of records. A highly regulated business with a complex or decentralized information technology environment may need additional guidance for relevant personnel on identifying and handling certain records (e.g., providing examples and explaining how to securely dispose of them in their various forms). This additional guidance may take the form of procedural documentation where that would be helpful and effective, but it should also be the subject of practical training to an extent commensurate with the risks of noncompliance.
The importance of these issues is highlighted by compliance audits, whether internal or third party, not to mention other less predictable events that can put the reality of an organization’s information governance (in contrast to documented policy) under a microscope (e.g., lawsuits, government investigations). Frameworks that imagine workers scanning through policy documentation and applying retention or disposition mechanisms to each email they send or receive might be fictional in application. Instead, a policy might take actual workflow into account and avoid any unnecessary burdens.
While some burden is inevitable, it should be minimized, as it reduces the likelihood of compliant behavior. Accordingly, instead of putting information technology users on the horns of a dilemma (do the job or be compliant), look for opportunities to centralize, automate and streamline. Ultimately, this is the path to governing information effectively in a world where all human beings are suffering from information overload.
We cannot overemphasize just how many organizations store too much information, for too long, in too many different places. Many widely reported security incidents involve old and useless information that no one needed to retain. In information security parlance, over-retention increases attack surface.
Unfortunately, the tsunami of spoliation sanctions cases leading up to the 2006 amendments to the Federal Rules of Civil Procedure created an enduring imbalance in focusing concern on the risk of failed compliance with preservation obligations. In recent years, the global proliferation of data privacy concerns and laws has swung the pendulum over to regulatory focus on data minimization or limitation. To increase the challenge, information technology use has evolved so that it is even harder to avoid storing sensitive information longer than necessary and in locations not protected or managed by IT security (including external devices, file shares and cloud services).
While promising tools for effective information governance are in development, the end user maintains a critical role at the center of our bring-your-own-device world, and information governance policy can’t lose sight of this human element. An artful information governance policy must articulate the risks associated with over-retention without diminishing the in terrorem effect of the litigation hold as a bulwark against spoliation. Raising awareness of the risks of data sprawl and providing tips on minimizing it, using examples tied to the organization’s particular information technology environment, should be considered for training associated with the policy.
Finally, policies, procedures, discussions, internal meetings and contemplation are wonderful. But without execution, a well-considered problem still remains a problem. While it is difficult to delete information, it’s not impossible. It does, however, take strategy to do it defensibly through operative policies, documentation and mechanisms for disposition. Successful deletion also may take a “push” – using opt-out mechanisms to encourage employees (and organizations) to let go of outdated, potentially risky information – to truly press delete and leave some of this information behind.