You are on page 1of 44

Information

Governance
Toolkit
Table of Contents
AR T I C LE

Achieving Information Governance Enforcement: Engagement, Enablement and


3 the Change Journey
By T. Sean Kelly, FTI Technology

AR T I C LE

Achieving Information Governance Enforcement: Ensure Policies Aren’t Left to


5 Collect Dust
By T. Sean Kelly, FTI Technology

AR T I C LE

7 Skills Your Need To Climb the Mountain of Data Challenges


By Sonia Cheng, FTI Technology

AR T I C LE

9 How to Safeguard the Crown Jewels in the Age of Information Security Threats
By Jake Frazier, FTI Technology

AR T I C LE

15 Preparing for the Breach: A Look Into Essential Cyber IG Practices


By Ricci Dipshan, Law.com

WH I T E PAPE R

18 Tackling Data Security Risks


Advice from Counsel

WH I T E PAPE R

28 Identifying & Protecting the Corporate Crown Jewels


By Jake Frazier, Senior Managing Director, FTI Technology

AR T I C LE

40 Why Data Deletion Makes Sense (and Dollars)


By Jake Frazier, FTI Technology
corpcounsel.com | March 3, 2017

Achieving Information Governance


Enforcement: Engagement, Enablement
and the Change Journey
T. Sean Kelly
After years of wading through
increasing data challenges and the
unpredictable evolution of cyber
security threats, corporations are
increasingly considering the impor-
tance of information governance.

Credit: ranjith ravindran/Shutterstock.com


We’re seeing meaningful progress
in the ability of legal, IT, records,
compliance and security teams to
work together and establish inter-
nal cross-functional IG committees.
And with this progress is a grow-
ing eagerness among these groups
to maximize and measure their
investments.
Most large companies today have
either implemented an IG program,
hired IG personnel or have plans to legal and compliance profile. The be taken into consideration at the
do so in the near future. Those that more regulated or more geographi- outset of any IG effort. Following
have taken the step of getting pro- cally diverse a corporation, the more is an outline of some guiding steps
grams up and running have typically burdened it will be with nuanced that will allow IG teams to build
spent a sizeable portion of resources policies and compliance require- enforcement into policies from the
to do so, and are accountable to ments. Legal hold is one common ground up. Additional best prac-
garner some ROI from them. All too area where these challenges play tices will be discussed in a follow-up
often, even after an investment into out, as it can be very difficult for article.
IG has been made, many projects organizations to scope the correct • Cross-Functional Support: To
are not monitored for compliance individuals that need to be under be successful, IG must be a cross-
and success or kept evergreen, thus legal hold, and limit retention to only stakeholder initiative with sponsor-
falling short of leadership’s expecta- those individuals, so excessive data ship from top company leadership.
tions for success. isn’t retained unnecessarily. Legal, compliance, security, IT and
Policy enforcement is a challeng- While technology is a necessary records departments should work
ing task for most organizations— piece in ensuring that IG programs together to determine enterprise
more so for those in regulated are sustainable and enforceable, wide initiatives that need stream-
industries that have a highly ­complex there are best practices that should lining. Stakeholders can partner to
March 3, 2017

achieve their range of unique goals quickly and grow in scope (and ROI) include creating urgency, clearly
through the implementation of a over time. communicating the vision, iden-
single IG effort. But before creating a The corporation’s existing risk tifying and eliminating obstacles,
laundry list of needs, the team must framework, which prioritizes the setting short-term realistic goals
work together to understand the organization’s highest risks, such that foster a sense of achieve-
confines of the internal landscape, as regulatory/sanctions, reputa- ment among those involved, and
such as the corporate culture as it tional, etc., can help the team eval- making changes permanent by
relates to risk and changing business uate which risk categories IG will solidifying adoption and address-
processes. impact, and make a business case ing opposition head-on.
By evaluating each group’s vary- for IG investments that can miti- When in-house counsel work
ing motivators through the lens of gate key risks without becoming strategically with the IT and records
the company’s culture, stakehold- financially prohibitive. This busi- departments, they can make a huge
ers can begin to understand the ness case should also take into impact in implementing technology
‘gives’ and ‘gets’ involved in build- consideration the cost avoidance to enforce and support the policy
ing new policies and implement- of possible penalties for failing to and track company-wide compli-
ing new technology. During these comply with various regulations ance thereof. Establishing a cross-
discussions, stakeholders should in any region where the company functional team to spearhead these
come to the table prepared with does business. issues with executive sponsorship
a risk analysis and ROI calculations • Change Management: In IG, is the critical first step in the right
for proposed projects. the course of changing business direction. Part 2 of this article—
• Executive Sponsorship: An IG processes should be rooted in com- "Achieving Information Governance
project simply cannot be success- pliance. Change is difficult for many Enforcement: Ensuring Policies
fully implemented—or enforced— people and becomes exponentially Aren’t Left to Collect Dust"—will out-
without C-level involvement. The key more so in large organizations line additional best practices that
to gaining their buy-in is communi- where a wide range of varying pri- lead to IG enforcement and prevent
cating the program’s benefits that orities and personality types exist. important policies from falling to the
will specifically address their pain Understanding how to effectively wayside.
points. If the executive sponsor is manage and enable change—and
the general counsel, building the risk approaching it as a journey—is T. Sean Kelly is a senior director
case for that person is critical—this essential for anyone looking to within FTI Technology’s information
includes the risk of not disposing drive IG. Legal and compliance governance & compliance services
of data that has met its retention departments have the opportunity practice.
requirement, and is not subject to to help their IG cohorts and the
legal hold. If sponsorship is solicited rest of the organization understand
from the CIO or another IT leader, the fundamental legal and regula-
they may be more likely to embrace tory drivers behind the proposed
a project that addresses data mini- changes.
mization and defensible disposal. One of the most widely
Business leaders or board members accepted methods for imple-
will be more focused on the costs menting change management is
and overall impact to the bottom line the Kotter 8-Step Change Model,
and mitigated risk. Quantify what the which was developed to help
business will save in the long run, the organizations become adept at
risks involved and how those risks progress. Some of the key tenets Reprinted with permission from the March 3, 2017 edition of
Corporate Counsel © 2017 ALM Media Properties, LLC. This
will be mitigated. Generally, starting of this model, which will help article appears online only. All rights reserved. Further duplication
without permission is prohibited. For information, contact 877-257-
with small projects can show value with managing data challenges, 3382 or reprints@alm.com. # 016-03-17-08
corpcounsel.com | March 6, 2017

Achieving Information Governance


Enforcement: Ensure Policies Aren’t
Left to Collect Dust
T. Sean Kelly
A lot of organizations have cre-
ated general information manage-
ment policies, which are typically
owned by the records or knowledge
management teams. These policies
include a retention and deletion

Credit: ranjith ravindran/Shutterstock.com


schedule that in theory should be
defensible, and address legal hold
and compliance needs. But in prac-
tice, these policies typically cannot
be executed upon or maintained.
FTI’s Information Governance &
Compliance Services practice helps
corporations figure out why their
policies, well-thought-out imple-
mentations and information gover-
nance investments have been left
to do nothing more than collect address and enforce IG becomes sponsorship and change manage-
dust. apparent. When corporations think ment. Below are additional best
Legal hold is one common area about these issues strategically, IG practices that will enable the com-
where these challenges play out, as it parameters and legal hold needs can pany’s IG stakeholders to achieve
can be very difficult for organizations be built into new systems as they are long-term policy enforcement.
to scope the correct individuals that integrated into the IT infrastructure. • Training: When rolling out a
need to be under legal hold and limit Technology that allows the legal new legal hold program, Microsoft
retention to only those individuals. team to monitor data deletion and Office 365 migration or any other IG
This process requires close compli- retention activities is a critical ele- initiative, it is imperative to have a
ance monitoring to ensure that the ment. There are also best practices computer-based training module in
process is defensible and safeguards that can help ensure IG programs are place for all users. Executive sponsors
against possible spoliation charges sustainable and enforceable. Part 1 of can be particularly helpful in ensur-
in litigation, which can come with this article—"Achieving Information ing that the training is mandatory
steep penalties. Similarly, migrating Governance Enforcement: Engage- for everyone in the organization—
to a new system—such as Micro- ment, Enablement and the Change a key factor in maintaining long-
soft Office 365—is another endeavor Journey—discussed the importance term viability of IG policies. Outside
where the need to proactively of cross-functional teams, e ­ xecutive advisors can be particularly useful
March 6, 2017

at this stage, as they are able to the biggest impact in achieving and ­ rocesses been executed. Essentially,
p
help the internal teams outline the maintaining IG enforcement. Robust the legal team was facing the bur-
critical components of the program, monitoring capabilities will enable den to produce data that would have
develop audience specific training the IG sponsor to see when legal been defensibly disposed of had end-
materials, identify what users will holds—or other policies—are not users complied with existing IG poli-
need to be trained on and deter- being acknowledged and escalate cies. By enforcing legal hold through
mine what the depth of that training the issue to promote and enforce a specific tool, and integrating it into
should be. adoption of the processes. their compliance and IT programs,
Training should not be out of Another important consider- the legal team was able to ensure that
the box from software providers, ation is the existing data structure data could be defensibly and auto-
nor should it necessarily be the and overall IT infrastructure. For matically deleted as soon as it was
same for everyone in the organi- example, when an organization’s no longer subject to legal hold or any
zation. Training collateral should data is all on shared drives, solu- individual’s retention schedule.
be tailored to the organization’s tions must have the appropriate The ability to automate IG as
unique needs and show users plug-ins to integrate with systems much as possible, and track compli-
what the new policies look like impacted. It is also important to ance across the company is abso-
within the context of their work consider how to automate dele- lutely critical in achieving ROI from
environment. For example, for tion of data that is not subject to the precious time and resources that
legal hold projects, it is important the established retention sched- are invested in building out these
to establish if users understand ule, and strategically define when/ programs. Ultimately, it is up to the
which records and individuals how the organization stores its collaborative team of stakeholders
may be subject to legal hold vs. data. Having a set of clear goals to ensure that training and change
which won’t. It’s also useful to at the forefront when evaluating management are addressed in a stra-
build a dedicated page available technology will go a long way tegic and thorough way, and that
to all internal users that offers in ensuring that the team is ask- technology solutions are selected
reference guides and FAQs dedi- ing the right questions during the based on the organization’s unique
cated to explaining new policies purchasing process. and diverse needs. These important
and tools that are being used. Tools that are offered as part of steps will promote IG wins and make
• Strategic Technology Imple- a broad suite of offerings typically it possible for the team to measure
mentation: Every technology evalu- do not have the sophistication to long-term adoption and success.
ation that impacts the company’s make sure nothing falls through
data in any way should involve the the cracks. Best-in-class products T. Sean Kelly is a senior director
legal and/or e-discovery team, in that are purpose built for the one within FTI Technology’s information
addition to records, IT and compli- thing needed—such as legal hold governance & compliance services
ance. This is particularly important or document and revision man- practice.
when it comes to legal hold imple- agement—will be more success-
mentations. The process should start ful in doing a thorough job and
with clear goals for the project, such successfully integrating with exist-
as, thoroughly retaining data for any ing systems.
custodians that are under legal hold, A technology evaluation under-
monitoring activity per compliance taken by a large manufacturing com-
requirements and escalating events pany serves as an example of one
of non-compliance to stakeholders. that was done really well. The com-
The most critical feature a product pany was liable for claims that oth- Reprinted with permission from the March 6, 2017 edition of
Corporate Counsel © 2017 ALM Media Properties, LLC. This
should offer is the ability to moni- erwise could have been mitigated article appears online only. All rights reserved. Further duplication
without permission is prohibited. For information, contact 877-257-
tor and flag activity—this will make had the organization’s data deletion 3382 or reprints@alm.com. # 016-03-17-09
BEST PRACTICES Skills You Need To Climb the Mountain of Data Challenges

Skills You Need To Climb the Mountain of


Data Challenges
depends on creating an inclusive team that reaches
far beyond the legal and IT departments. Establishing
appropriate policies and controls can be complicated
by the requirements of various regulations, large data
volumes, the number of individuals accessing records,
new data types and the varied applications found
within most organizations.
Any legal professional looking to work toward
proactive IG must first have the initiative to secure
buy-in across IT, information security, risk and business
stakeholders and to foster a collaborative cross-
department team that can work collectively on building
IG goals and programs. Once stakeholders are on
board, getting these programs off the ground becomes
much more realistic. Involving the board and senior
management is key to securing resources and funding.
An understanding of security vulnerabilities
and how to address them. Figuring out where data
breaches happen is critical to preventing them.
Employee negligence, a mobile workforce and hacking
are the top causes for breaches. One third of all known
breaches come from loss of personal devices –– and
consider how much easier it is for a criminal to steal a
device rather than penetrate an organization’s network.
Counsel must be aware of the range of risks
and work with other IG stakeholders within the
by Sonia Cheng organization to manage employees and ensure they
understand their dynamic role in maintaining data
security. An ongoing program that includes regular
Sound information governance (IG) procedures are critical to broader legal, training and awareness campaigns is key to educating
compliance and IT strategies. IG helps maintain compliance, reduce e-discovery employees on current threats and how they can modify
costs, streamline large data volumes and bolster cybersecurity. Strategic and their behavior to reduce the possibility of a breach.
documented IG can also be helpful in defending data retention practices against The ability to manage change. Change is difficult
motions for sanctions during litigation. for many people, especially for attorneys rooted in
traditional methods and resistant to adopting unknown
technologies. Understanding how to effectively manage
First, though, it is important to know what skills and enable change is essential for anyone looking to
attorneys need to get these programs off the ground drive IG. Writing a data security policy is one thing,
and how to bolster their abilities to ensure successful but the ability to translate security requirements into
projects. Here are some of the skills needed to address operations requires a holistic approach involving
data challenges: people, process and technology.
The initiative to secure collaboration across To do this, ensure that business executives are
departments and among key stakeholders. IG represented on the program’s steering committee,
initiatives require approval and implementation from and have metrics and accountability visible at the
stakeholders across the organization; their success board level. Sometimes this requires engaging risk

WWW.ILTANET.ORG PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | WINTER 2016


BEST PRACTICES Skills You Need To Climb the Mountain of Data Challenges

and compliance stakeholders to ensure you have


appropriate fail-safes to help reinforce change.
The widely accepted Kotter Eight-Step Change
The ability to translate security requirements into
Model can help with managing data challenges. Some of
its key tenets include creating urgency, communicating
operations requires a holistic approach involving
the vision, identifying and eliminating obstacles, people, process and technology.
setting short-term realistic goals that foster a sense
of achievement among those involved and making
changes permanent by solidifying adoption and
addressing opposition head on.
A sense of when to call in reinforcements. and costs of technology solutions offered and emerging
Outside experts can help guide IG efforts and identify innovations disrupting the status quo. Without a clear
weak points in the overall compliance structure, so picture of how technology plays into IG, lawyers will
know when to call on them. The IG professional must continue to struggle in addressing security challenges.
also evaluate these outside providers and be familiar Counsel must also understand the limits of the
with what to expect from them. The experts’ findings technology being implemented and plan for how to
not only inform stakeholders of needed improvements, navigate around those restrictions. Do not let perfect SONIA CHENG
As Senior Director at FTI Consulting,
they could also help sway reluctant executives to invest be the enemy of good. Take the time to prioritize
Sonia Cheng leads information
the needed time and money into these efforts. requirements and implement solutions that address the governance initiatives for FTI’s
Holding outside providers accountable to budget biggest areas of risk. technology practice group, helping
estimates, timelines, deliverables and security standards A global perspective. Data breaches are a global organizations deal with the
challenges associated with exploding
will go a long way toward ensuring initiatives meet problem, and your firm must stay current on the
data volumes and complying
internal benchmarks. latest regulations wherever it has operations. The
with complex global regulations.
A knowledge of sound budgeting practices. passage of the EU directive on the Security of Network Sonia has deep experience in
There is an ongoing industry-wide struggle to control and Information Systems (NIS) requires companies transformation and change across

e-discovery and other data-related costs. Knowing how operating in critical sectors to satisfy wide-reaching related disciplines in e-discovery,
records management, archiving and
to achieve budget predictability is a critical skill that incident reporting obligations. This, coupled with the
storage optimization. Contact her at
can have a lasting effect on the success of any matter. General Data Protection Regulation (GDPR), which sonia.cheng@fticonsulting.com.
As the industry matures, more lawyers are turning to allows fines of €20m or four percent of global turnover,
master service agreements to negotiate alternative is a reminder to global organizations that they need to
billing models and achieve greater budget predictability. evaluate their obligations and take steps to be ready
Another way to control budgets is to recognize when regulations come into force.
the ways technology can affect the time and cost of a
project. Sophisticated legal teams are using analytics Skills To Climb the Mountain
and predictive coding to identify sensitive information We continue to see that the rapid evolution across the
for IG purposes or to uncover key facts for legal or legal industry is being met with flexibility, creativity
regulatory matters. This helps reduce the time spent and innovation. Legal teams are acting nimbly in a This article was first

wading through large volumes of information, reducing changing environment and are working diligently published in ILTA’s Winter

overall costs. to stay in front of data disasters. The successes — 2016 issue of Peer to
Peer titled “Profesional
A solid grasp on technology capabilities and and the failures –– we read about in the headlines
Development: Sharpen Your
limitations. Technology provides a variety of solutions are shaping best practices for data security, IG and
Skills” and is reprinted here
to assist in getting data under control. When kicking technology implementation. By building the skills and
with permission. For more
off any initiative to address data security, remediation, knowledge outlined above, practitioners will be better
information about ILTA, visit
preservation optimization or modernizing storage, the equipped to climb the mountain of never-ending data www.iltanet.org.
wise professional will become educated on the range challenges. P2P

WWW.ILTANET.ORG PEER TO PEER: THE QUARTERLY MAGAZINE OF ILTA | WINTER 2016


How to Safeguard
the Crown Jewels in
the Age of Information
Security Threats
By Jennie McQuade and Jake Frazier Not all enterprise data is created equal, nor should it all have the same protections.
Well-publicized data breaches, from customer credit card information to employee health records, highlight the
increasing need for companies to better secure sensitive data. However, many organizations lack executive
support for information governance, and others feel hampered due to their legal or regulatory profile.

ACC DOCKET NOVEMBER 2016 45


HOW TO SAFEGUARD THE CROWN JEWELS IN THE AGE OF INFORMATION SECURITY THREATS

In the last two years, data breaches and employees, and fulfilling the workforce, and hacking are the three
have plagued organizations across responsibility for protecting the causes for most breaches. Below is an
every industry and in the public sector, sensitive information of customers overview of each of these areas, which
including Ashley Madison, the IRS, and employees; is the first step in helping counsel un-
BlueCross BlueShield, CVS, Experian, ■■
Securing sensitive company IP; derstand exactly where security events
Army National Guard, Sony Pictures, ■■
Creating a tiered security network originate.
and many more. As technology evolves to protect against cyber security
and security risks rise, lawyers are con- threats; and, Employee negligence
fronted with an increasing challenge to ■■
Developing protocols and systems According to the Ponemon Global
satisfy their ethical duties of compe- to ensure secure access to the Cost of Data Breach study, breaches
tence and confidentiality, making the network by partners and other attributable to employee negligence
issue of securing data and mitigating approved third parties. rose by 72.7 percent between 2012
breaches increasingly severe. and 2013. The ACC Foundation’s The
This article will explore data breach- The parsing of “data security” into State of Cybersecurity Report: An In-
es in detail, discussing how counsel can these buckets can help organizations house Perspective found that in 2015,
respond to these events, and outlining take a large challenge — protecting employee error was the leading cause
practical ways to implement a tiered the organization’s data from internal for data breaches. This type of breach
approach to securing a company’s and external threats — and channel- happens when employees acciden-
crown jewels. ing it into initiatives that are smaller, tally download malware, fall victim to
The recent Advice from Counsel more focused, and easier to accom- hacker schemes, or inadvertently email
(AFC) study, which examines practices plish. Protecting customers’ credit confidential information to the wrong
within Fortune 1000 legal depart- card information, for example, may contact, among other actions. It’s im-
ments, found that 76 percent of require different technology and pro- portant for counsel to be aware of this
respondents have information gover- cesses than authenticating the identity risk, and work with other information
nance programs — dedicated staff and of employees trying to access the governance (IG) stakeholders within
budget — and that data security is the company’s intellectual property. the organization to manage employees
number one driver for these programs. Depending on the industry and its and ensure they understand their role
Similarly, an article in Bloomberg regulations, a company’s crown jewels in maintaining data security.
Businessweek cited insider threats, both can include customer credit card re- The 2010 breach of employee log-in
intentional and accidental, as the big- cords, salesforce client lists, proprietary credentials and other data at Business
gest concern for more than 70 percent IP, and employee or patient health Wire serves as a prime example of
of information security managers. information. Whatever a company employee negligence resulting in
However, the initiatives cited in the considers its most valuable or sensitive compromised security. In this case, a
AFC study ranged across 30 different data, the steps for securing that data Ukrainian hacker penetrated Business
focus areas, including data security, through information governance are Wire and other newswire compa-
efficient records retention, data analyt- the same. nies using a tactic known as spear
ics, and data optimization for litigation phishing. The hacker sent emails
needs, underscoring the challenge Origins of security leaks to employees that appeared to be
organizations often face with informa- Understanding the root of most legitimate. When employees clicked
tion governance. How can in-house data breaches is critical to preven- on the email, however, hackers then
counsel implement programs that are tion. Employee negligence, a mobile gained access to the entire company’s
continually improving and holistically
addressing all major data challenges,
while simultaneously resulting in tan-  Jennie McQuade is the chief privacy officer and chief legal counsel for Swisslog Healthcare, a
gible benefits? member of KUKA Group, a global supplier of intelligent automation solutions. The view expressed
In looking at information gover- in this article are of the author’s and not necessarily of Swisslog or KUKA Group.
nance for data security specifically, jennie.mcquade@swisslog.com
AFC study respondents identified four
key areas: Jake Frazier is a senior managing director of FTI Consulting, based in Houston, TX. He heads the
■■
Securing sensitive personally information governance and compliance practice in the technology segment, and helps identify,
identifiable information (PII) develop, evaluate, and implement in-house e-discovery and information governance processes,
for clients/customers, patients programs, and solutions. jake.frazier@fticonsulting.com

46 ASSOCIATION OF CORPORATE COUNSEL


systems. There are many similar compromised names, birthdates, While the law indicates that
examples, which highlight how thor- medical IDs, Social Security numbers, any reasonable anticipation
ough employee education and train- employment information, and more
of a breach must be reported
ing can make a notable impact on data for former and current customers and
breach prevention. Companies that employees. This ultimately resulted
to those affected, security
fail to educate employees on potential in far-reaching consequences for the teams can only investigate
dangers and safety best practices will company and for the tens of millions a fraction — about four
remain at risk for future breaches. of US consumers. This is the larg- percent — of these events
est healthcare breach in history, and
each day, leaving a great
Mobile beyond the extensive cost and repu-
One third of all known data breaches tational damage to Anthem and its
deal of uncertainty.
come from loss of personal devices, brands, the company faces regulatory
which is particularly troubling, as this discipline.
medium simply requires a criminal to Hilton Worldwide also confirmed a report suspected breaches to those
steal the device, rather than penetrate data breach in late 2015, resulting from impacted, a lot of gray area remains
the entire company’s network like with hackers gaining access into its point- around the guidelines for disclosure.
other methods. The increase in BYOD of-sale systems, and installing malware In some industries, customer con-
(Bring Your Own Device) workplaces that enabled the theft of customer tracts that require notification within
is further complicating the risks of a names, credit card numbers, and se- a certain period of time are becoming
data breach by mobile device, and will curity codes. The full scale and impact increasingly common.
continue to be a dynamic problem for of this breach is still unconfirmed, Most large corporations have, at
IT and legal departments. but it serves as yet another example of a minimum, some level of security
In 2010, Educational Credit the various ways cyber criminals can monitoring and notifications in place.
Management Corp., a nonprofit guar- infiltrate corporate data, and why it is According to a 2014 article in Security
antor of student loans, experienced a so critical to proactively identify and Week, these company devices are gen-
breach of this nature when a portable secure high risk data. erating an average of 10,000 security
media device containing sensitive data events per day, with the most active
was stolen. The breach compromised Ethical obligation generating 150,000 events per day.
PII such as names, addresses, and Another key point for counsel is the With tens or hundreds of thousands
social security numbers for more than matter of ethical obligation, specifically of potential breaches daily, there is
three million people, and was estimat- pertaining to what level of duty coun- no reasonable way for a company to
ed to impact up to five percent of all sel has in both preventing and com- disclose or even investigate each event.
federal student loan borrowers. municating data breaches. Federal and While the law indicates that any rea-
state laws require companies, including sonable anticipation of a breach must
Hacking law firms, which are depositories of be reported to those affected, security
Cyber criminals, disgruntled employ- information, to implement reasonable teams can only investigate a frac-
ees, and corporate spies are all poten- security protections to safeguard per- tion — about four percent — of these
tial perpetrators of hacking. As noted sonal data. In connection with these events each day, leaving a great deal of
in the BusinessWire example above, laws, companies must report breaches uncertainty.
hackers will use tactics including spear related to personal data. Currently, 47 Last year, TalkTalk disclosed a
phishing email attacks and website de- states have “breach notice” laws, which breach that resulted from a distrib-
facements to expose employee naïveté; generally require notice to all affected uted denial-of-service (DDoS) attack,
or use malware and other tactics to parties and relevant agencies within a impacting millions of its customers.
break into corporate databases. Insider certain time period. While TalkTalk commendably took
data theft and external data migration For example, in New York, reporting fast and decisive action in commu-
are common methods used by rogue is required as soon as possible, unless nicating the breach — to the extent
employees or spies with inside access. notice would impede law enforcement of publicly stating that potentially all
One of the most recent examples of investigations. Fines up to US$10,000 of its customers were affected — the
hacking is the devastating Anthem, per instance of failed notification can subsequent investigation determined
Inc. breach, involving the loss of per- result if reporting is not carried out in that only a fraction of those were actu-
sonal information for approximately a timely and thorough manner. While ally impacted. This keenly highlights
80 million people last year. Hackers the laws are clear that companies must the complexity of breach investigations

ACC DOCKET NOVEMBER 2016 47


HOW TO SAFEGUARD THE CROWN JEWELS IN THE AGE OF INFORMATION SECURITY THREATS

records management group, and the


“Quick wins” businesspeople. Each group should be
given access to the underlying database
■■ Form a working committee across teams — security, where the records are kept, as well as
legal, and IT — to get the conversation started; its own interface into the data. For
■■ Develop short-term and long-term data security goals that can include:
example, the legal group interface can
■■ To-do lists and timelines;
help manage legal holds, while the
■■ Creation of a Governance Committee to begin policy development;
■■ Interviewing employees to map how data records management interface assists
comes in and where it is stored; in tracking what information must be
■■ Determining which department will lead the retained for which length of time as
information governance initiative; and, part of the company’s document reten-
■■ Deciding an information governance budget. tion policies.
■■ Leverage existing security mechanisms and Crown jewels can be separated
passwords to better protect devices; into several categories: data that must
■■ Develop formal policies to manage data; and, be preserved for legal or regulatory
■■ Include data security best practices in employee training programs, obligation (i.e., legal holds); valuable
including for the pre-hiring and on-boarding process.
data assets (IP or customer lists); and
data that must be protected (customer
PII, employee information). Once the
and the need to be thoughtful in impact on the availability of ESI for crown jewels have been defined and
determining when and how to disclose production; located, processes can be developed to
security events to the public. ■■
Impact of their choices: Counsel keep the data safe. When considering
Beyond duty to disclose, counsel must know how their handling of steps for securing critical information,
is also obliged to consider the ethi- ESI will impact the completeness organizations should look for solutions
cal obligation to maintain a level of and accuracy of their responses to that protect against threats like hack-
technical savvy. In the Play Visions v. discovery requests; and, ers, but also safeguard data from those
Dollar Stores, Inc. case, sanctions were ■■
Accuracy of facts: It’s key to have inside the organization.
ordered as a result of counsel’s failure clear and accurate representation of By working closely with the stake-
to appropriately search for electronic the facts that are being shared with holders across the company, and with
records in a timely fashion as well as opposing counsel and the court. the CIO/CISO, legal teams can put
failing to guide the client’s produc- protections in place and collaborate
tion of discovery responses. Because Finding and securing crown jewels on programs that bolster e-discovery
counsel did not take an active role dur- In information governance, counsel efforts, ensure fulfillment of legal
ing the e-discovery process, they were is almost always focused on litigation obligations to secure data, and make it
ruled to have failed to meet the ethical hold and managing e-discovery bud- easier to mitigate increasing security
obligation to competently represent the gets. Legal teams want to support and risks. Some important steps to take in
client. implement information governance, partnership with these stakeholders
ABA Model Rule 1.1 states “a lawyer but are unsure of how those initiatives include:
shall provide competent representation map back to the legal team’s respon- ■■
Establishing a sophisticated,
to a client. Competent representation sibilities and needs. Conversely, the central repository for the crown
requires the legal knowledge, skill, CISO and CIO have growing budgets jewels, including granular security
thoroughness and preparation reason- and an inherent focus on securing including authentication, access
ably necessary for the representation.” data and leading large, company-wide tiers, and controlled permissions;
In dealing with data breaches, it’s transformational initiatives that have ■■
Supporting sufficient storage
critical for counsel to understand the long-term ROI. But these groups — and backup for the crown jewels
following: and others — share a common interest database;
■■
Data sources and retention when it comes to protecting the com- ■■
Enabling tracking for which
practices: The lawyer needs to be pany’s most valuable data. employees are placing information
able to identify and describe sources Generally, three key groups within in that repository and accessing
of electronically stored information companies should participate in data stored there;
(ESI), as well as understand the identifying which data counts as a ■■
Ensuring email servers are private;
retention policies and practices that crown jewel: the legal department, the ■■
Encryption of sensitive documents;

48 ASSOCIATION OF CORPORATE COUNSEL


■■
Implementing Secure Socket Layer as part of the e-discovery process, and The steps for identifying
(SSL) protocol, which manages reducing the risk of data breaches. As crown jewels in international
authentication and encrypted a result, in-house counsel can further
jurisdictions can be modified
communication between users in a protect the company’s reputation.
network;
and tailored to comply with
■■
Using security information and Global considerations data protection requirements
event management (SIEM) tools to Earlier this year, the European Union in each zone, ensuring
analyze security activity in real- revealed that the new EU-US Privacy consistent and adequate
time; Shield agreement was forthcoming as
protection of the crown
■■
Password protecting devices and a replacement for the former interna-
keeping passwords protected tional Safe Harbor Privacy Principles
jewels company wide.
and separate from encrypted adopted by the United States and
documents; members of the European Union. The
■■
Employing remote access to wipe Privacy Shield will outline and enforce
and locate lost or stolen devices; rules for how protected data residing earlier in the article provided their
■■
Controlling use of public cloud in Europe is transferred and treated insights for broader information gov-
providers such as Dropbox and across US borders, and aims to bring ernance success. These include:
provide easy ways for employees some consistency in ensuring privacy ■■
Secure executive buy-in. “A
to securely access these providers through international data sharing. program of this kind takes time and
without hindering functionality; Aside from the vast implications for money so you need someone at the
and, cross-border e-discovery and inves- top level of management who “gets
■■
Training employees on policies, tigations, the Privacy Shield will also it.” It’s important to remind senior
procedures and safeguards to affect how multinational organizations managers of their fiduciary duty to
ensure widespread adoption and approach information governance. protect sensitive data.
enforcement of programs. The aforementioned steps for secur- ■■
Develop cross-functional teams. To
ing crown jewels include actions, such avoid duplication and wasted time
Some of the same techniques that as scanning file shares and email, and or money, “you need to get everyone
help organizations identify their migrating data to a central repository. talking to one another about what
crown jewels can also help find However, corporations with global they’re doing and what needs to get
documents that no longer have any email systems are not able to take done.”
value and should be deleted. Valuable that approach given the varying data ■■
Secure your sensitive data.
information should be stored under protection regulations across Europe “Invest in people that know how
lock and key, while the junk should be (i.e., Privacy Shield), Asia, etc. Instead, to protect data and how to use it
tossed out. counsel can implement a zone ap- effectively. Generating data is not
proach that isolates IG programs by very good unless you are ready to
Achieving quick wins region. use it and can protect it.” This also
Nearly a quarter of advice from coun- While an organization may run includes ensuring that systems
sel respondents said that the initial scanning tools on data residing in are up-to-date and back-up tapes
challenge with information governance North America, that approach would are remediated in a timely and
is deciding where to begin. To avoid potentially violate data protection laws defensible manner.
this “analysis paralysis,” it may help to in Europe or other strictly regulated ar- ■■
Don’t forget about data privacy
bring in a third party that can manage eas, such as China. The steps for identi- regulations. “Beware of all of
the project, achieve some quick wins fying crown jewels in international the international data privacy
(see sidebar), and build momentum for jurisdictions can be modified and regulations and their amendments.
an information governance program- tailored to comply with data protection You must understand that
without significant cost. requirements in each zone, ensuring transferring data across borders is a
Through these quick wins, survey re- consistent and adequate protection of very sensitive issue, even when the
spondents with dedicated information the crown jewels company wide. company has operations abroad.”
governance programs have realized the ■■
Get outside help. For those in
tangible cost benefits and achieved an Peer insights highly regulated industries, this
ROI through reducing storage costs, In addition to the steps above, respon- was a recurring theme. “Work with
reducing the amount of data to review dents in the AFC study mentioned professionals. Hire outside counsel

ACC DOCKET NOVEMBER 2016 49


HAVE A COMMENT ON THIS ARTICLE? VISIT ACC’S BLOG AT WWW.INHOUSEACCESS.COM/ACC-DOCKET.

and others who have been there I view e-discovery as a targeted


before. Make sure they understand question you are answering and do
your business to ensure that what as well as you can in satisfaction
they give you is not off-the-shelf, of all legal requirements. The
but suited to your business. It is information governance leaders
basic common sense for anyone are looking at it from a ‘big picture’
who is in a highly regulated standpoint. They answer the broad
environment. Each company’s facts question, but my obligation as
and circumstances are different so in-house counsel is to focus on the
take the time to work with someone narrow question. Working together,
who knows you.” we try to draw some conclusions.”
■■
Think about your end-user.
“Give people tools so they are Conclusion
not taking shortcuts that bypass Once crown jewels are properly ad-
your protocols. Make it easy to dressed, it is critical to maintain protocol
access information so that people and ensure flexibility to address emerg-
are not enticed into making poor ing factors. Existing systems may need
judgments about the protection of updating on a regular basis, and older
information where you could have systems may not meet today’s require-
a breach.” ments. It should be noted that while the
■■
Don’t let perfect be the enemy of process to implement an information
good. Several study respondents governance program often starts with
discussed how to create realistic the legal department, the long-term
benchmarks that deliver results and ownership may be a better fit for another
focus on business requirements, department, depending on the company.
even if they don’t solve every Companies that do not have the
challenge. One professional technical or policy expertise to prop-
suggested, “To develop a complete erly and cost-effectively manage all of
map of what you have and where these steps are not alone, and can rely
it is can be extremely time- on third party experts to advise the
consuming. We have incrementally implementation of new solutions and
become more aware of information programs. This is where companies
that isn’t governed as much as we can begin to see tangible results, and
thought because it exists in silos experience how information gover-
around the company in a way we nance can reduce costs and risk in the
didn’t appreciate at the outset. real world. ACC

ACC EXTRAS ON… Cybersecurity

ACC Docket Cybersecurity: How to Prepare Top Ten ACC HAS MORE MATERIAL
A Crash Course in Data- for and Respond to Cyber Top Ten Tech Tips for ON THIS SUBJECT ON OUR
WEBSITE. VISIT WWW.ACC.COM,
Security Regulation and Attacks (March 2014). www. Corporate Lawyers (May 2016).
WHERE YOU CAN BROWSE OUR
Litigation (Sept. 2015). www. accdocket.com/articles/resource. www.acc.com/legalresources/
RESOURCES BY PRACTICE AREA
accdocket.com/articles/resource. cfm?show=1360853 publications/topten/top-10-tech- OR SEARCH BY KEYWORD.
cfm?show=1408874 tips-for-corporate-lawyers.cfm
QuickCounsel
Cybersecurity — Emerging Cybersecuirty Failures and Cyber Insurance Policies: Top 10
Trends and Regulatory Resulting Liability Issues Questions Your Business Should
Guidance (May 2015). www. (April 2016). www.acc.com/ Ask When Considering a Policy
accdocket.com/articles/resource. legalresources/quickcounsel/ (Nov. 2015). www.acc.com/
cfm?show=1398885 cybersecurity.cfm legalresources/publications/
topten/cyber-insurance-policies-
top-10-questions.cfm

50 ASSOCIATION OF CORPORATE COUNSEL


May 31, 2016

Preparing For the Breach: A Look Into


Essential Cyber IG Practices
By Ricci Dipshan

It’s a situation every attorney


dreads: You are sitting at your com-
puter on what seems like a normal
day, when suddenly the screen goes
blank, replaced by a notice that your
files are being held ransom or your
most valuable data has been stolen
out of your system.
In the immediate aftershock, myriad
questions can run through your mind.
But none is perhaps more important,
more pressing, than—what’s next?
The answer, explains Jake Frazier,
senior managing director at FTI
Consulting, depends largely on what
has come before. “We do these what we call table- you can’t email, email’s offline—now
“Pretty much what I see is that top exercises, where basically we’ll what?’ And then we just get blank
the work you do before the breach come in and it’s like a war game stares and people immediately say,
is most everything you can rely on simulation,” Frazier says. “And we’ll ‘OK, we don’t know what to do.”
once the breach happens. Once the say we just learned the system has The problem, Frazier explains, is
breach happens, it’s really difficult to been comprised or this ransomware that as cyberthreats have evolved,
maneuver,” explains Frazier. is happening, trying to encrypt things, information governance programs
Preparing for the question of so what do we do?” have stayed the same.
“what’s next?” ahead of time can at Often when we work with clients “What information security histori-
first seem like common sense, but who maybe have underestimated cally has done was focus on the
it is too easy to underestimate the the difficultly of what would happen. fortress approach—how do we put
complexities and handicaps posed They might say, ‘OK, first I’m going walls up to keep people out. So
by an actual breach. to email so and so,’ and we say ‘No, that would be proxies, firewalls,
May 31, 2016

encryption security event information them in repositories with security provi- that the hackers got access to as a
management systems, etc.,” he says. sions and data backup options. result of securing passwords and con-
“But as we’ve seen for the most part, “That’s definitely one of our most pop- fidential information.”
that is not sufficient, people will get in ular engagements right now,” Frazier But as Terrence Coan, senior direc-
one way or another, so the problem is says. He adds that in previous client tor in the Law Firm Advisory practice
once they get in through a backdoor engagements, “we were looking at the at HBR Consulting explains, when it
or over the fortress wall, then they can transactional data that had to do with comes to delegating file access, the
just run amok.” account setup, and account numbers, legal industry is ahead of the game.
things like that,” in which to create “a “Law firms are obviously very orga-
Triage and Mirage tiered approach where critical, private nized around client and matter, so
But this can only happen if data is out data goes off to other repositories that there’s an implied hierarchy; if I know
in the open for cyberattacks to exploit. are much more secure, and your trans- who is authorized to access a client
Paramount to any data breach prepara- actional data stays behind.” matter, then when I file documents
tion is the golden rule of any information While these repositories can have the into the system by that client and mat-
governance program: knowing where usual layers of security such as “requir- ter, the system applies the appropriate
sensitive data resides. Yet this, of ing stronger passwords and dual factor security to the matter team or to those
course, is much easier said than done. authentication,” Frazier notes that they who have reason or right to know.
“The key to a good IG policy,” explains can also provide “data masking.” Yet like any company in 21st cen-
Farid Vij, lead information governance This entails scrambling data to tury, law firms are also at the mercy
specialist at ZL Technologies, “is hav- create invalid credit card or Social of file shares, which while increasing
ing a complete understanding of your Security numbers. These work as employee efficiency and collabora-
data at all times so that you can be decoys to cyberattackers, while allow- tion, potentially leave valuable data
in a proactive position during a data ing developers to build and test apps unsecured and accessible to all.
breach, which is the biggest challenge using the information as well. Frazier calls file shares “one of
for enterprises today. There’s simply the least secure areas in a network,
too much data.” Careful Sharing because it doesn’t have really rigid
Thankfully, however, data breach Equally as important and valuable permissions. There are a lot of permis-
preparedness doesn’t require an all- in data breach preparedness is con- sion profiles on file shares that we see
or-nothing approach. trolling user access rights to these called ‘everyone,’ which means anyone
“This isn’t about creating a basic data repositories. who is in the network can just navigate
map; today, we have to get down to the “The key challenge with these to the file shares and have access.”
content level of the document to iden- breaches is often figuring out what He adds that such areas have been
tify things like personally identifiable data has actually been compromised used as “dumping grounds,” where
information, personal health informa- and ironically, most organizations in a recent engagement with a client,
tion, and payment card information.” don’t know where to start,” says Vij. Frazier and his team found “a few
What this comes down to is extracting “Take Sony, for example. The majority petabytes of data.” Such fileshares,
the most sensitive information among of the risk and cost associated with he notes, can include “HR records,
the daily network traffic and regularly the cyberattack was not the data that compensation statements, customer
created or obtained files, and placing was directly hacked, but all the data records, and permission forms to set
May 31, 2016

up direct deposits with routing num- “But in the end,” says Coan, “it And more important, Fraizer notes,
bers and account numbers, and all often comes down to users having to training works: “We find ultimately that
kinds of really risky data.” interact with the data to have context through education and awareness,
But like a potentially unsecure data- to what the data is saying. If they people do get better about how or when
base, Coan says, file shares can be have personal experience with it, they they use shadow IT such as cloud stor-
an easy fix. “We may lock those down can then make an informed decision age, or that they are more rigorous
and prevent people from filing to those where it goes.” around defining who can access it and
locations going forward. While we may Admittedly, it can be difficult to making sure that there are controls to
not delete the materials currently filed trust employees — after all, the rise minimize unrestricted access by some-
there immediately, we tell users that of shadow IT, fileshares, and poor body who shouldn’t have it.”
these locations are not an appropriate digital hygiene have made insider When developing a data breach pre-
place to file materials, and if they do file threats more probable than external paredness plan, he adds, companies
materials on a network file share, we breaches. must also be careful not to set employ-
are going to purge them automatically But employees will always remain ees up for failure by encouraging them
within a defined period of time.” central to breach preparedness and towards shadow IT or other risky tech
must be kept up to speed through behavior.
Of Man or Machine? constant training, Coan advises. “In a breach, when systems start
While breach preparedness seems “It’s always more going to be a situ- getting shut down, knowledge work-
simple in theory, execution may be a ation that they don’t train enough. And ers have pressure to get their jobs
whole other story. that’s because they can’t or don’t get done. If all of a sudden emails are not
“On almost every engagement, I’m the budget to do the necessary train- working because there’s a breach, it’s
asked by the clients, do you believe ing and education. … There has to not unlikely that you’ll see users using
in a human approach where users are be ongoing and routine training, there Yahoo, Gmail, Dropbox, Google Drive
going to classify the data and put it in needs to be training for new employ- and really anything they can get their
the right spot, or do you believe in a ees who are brought into the organi- hands on to continue to do their job.”
more automated scanning approach? zation, and there has to be refresher Companies, Frazier says, need to
And my answer is always yes — both,” training of the entire employee popu- let “users know if there’s a breach,
Frazier says. “So it’s always a belt and lation on some periodic basis. For don’t go using other systems, and your
suspenders approach that works best.” example, every year or every couple manager will take into account any lost
Using scanning and AI technology of years, just to remind people about time due to this breach —an escape
even on computers not connected to the why this is important, why we are valve, so that the day-to-day pressure
network, he adds, can allow companies doing it and what we are expecting is alleviated a little bit while the breach
to find, move or lock down critical files. people to do.” remediation is happening.”

Reprinted with permission from the May 31, 2016 edition of Law.COM © 2016 ALM Media Properties, LLC. This article appears online only. All rights reserved. Further duplication without permission
is prohibited. For information, contact 877-257-3382 or reprints@alm.com. # 087-06-16-02
Tackling
Data Security
Risks
Data breaches. Employee fraud. Regulatory change.
These headline-grabbing business challenges are keeping many legal, information
security, IT and compliance departments up at night. Organizations are challenged to
support the modern workplace environment – mobile phones, remote employees, cloud
collaboration sites, social media, IM platforms and chatrooms – while keeping this data
secure and easily retrievable for legal or regulatory needs. How can organizations create
an information governance framework that protects data while staying adaptive to the
rapidly evolving business landscape (GDPR, Brexit, Privacy Shield, etc.)?

© 2017 FTI Technology, LLC. FTI Technology is a business of FTI Consulting, Inc. FTI Consulting, Inc., including its subsidiaries and affiliates,
is a consulting firm and is not a certified public accounting firm or a law firm.
W
e asked this question of 33 information security, risk, legal, IT and
compliance executives, most of whom work at Fortune 1000 companies
with responsibilities that include anti-fraud, data privacy, regulatory
compliance, information governance and other risk management activities.

Seven key themes emerged:

Start with a
Data Assessment.
For many, the process of beginning an information governance program can be daunting.
Where do you begin? Who should be involved? How do you ensure the right executive
buy-in? How do you keep momentum going?

To help answer these questions and focus the project, a third of respondents recommended
conducting a data assessment at the outset.

Advice:
A B C

“assessment
Conduct a baseline
without any
“and
Start with an assessment
determine what is
“should
That risk assessment
drive where you need
assumptions and understand already being managed;

to focus your efforts.
the company’s culture.
” since you cannot boil the
ocean, you need to figure
out where to start and
where you need to go.

Benefit:
Have a clear roadmap that will help you prioritize projects.

Advice from Counsel: Tackling Data Security Risks 2


Engage Internal
and External Experts.
Because of the risks involved, data security is now an enterprise-wide
endeavor, and not just the concern of IT or information security
teams. External data breach threats are rapidly evolving, and
recent research from Forrester indicates that 35% of data
breaches are caused (accidentally or intentionally) by internal
employees.
35%
of data breaches are
caused (accidentally or
intentionally) by
internal employees
To help offset this, most respondents recommended recruiting
expert analysis to “determine where your weaknesses and
gaps are” since “it’s hard to do that internally.” Or, as another
respondent said, “Seek out external expertise because the field is too
complex for any one individual to manage and the risks are too high.”

Advice:
A B C

“island,
If it is just you on an
you will not succeed;
“ Hire someone with a good
deep knowledge of technical
“ You need to ask someone
and figure out what others
tap into industry analysts implementation and crafting are doing; engage a full
and thought leaders for
guidance since you cannot

policy. cross-section of business
personnel beyond senior
do it alone.
” leadership.

Benefit:
Subject matter experts can ensure your program is up-to-date, and internal leaders can
aid in company adoption of best practices.

Advice from Counsel: Tackling Data Security Risks 3


Prioritize Data
Remediation.
Across the board, respondents expressed frustration at runaway
data volumes, with over 90% saying they do not know how much
data they are managing. Keeping redundant, outdated or trivial
(ROT) information can make it harder to find and protect the truly
sensitive information under the company’s care. >90%
do not know how
much data they are
Respondents recommend creating or updating an organization- managing

al data map, especially as part of a data assessment, and using


data remediation to regularly cull out unimportant information.

Advice:
A B

“liability
Data has a lifecycle and represents a huge
today. At the end of its useful life, a
“isThe most important data held in Salesforce
not that substantial, but shared folders are
company needs to purge it to promote an filled with significantly more data. The key
environment of data minimization.
” data is not that substantial.

Benefit:
Less data means lower storage costs and the ability to focus on protecting sensitive
information.

Advice from Counsel: Tackling Data Security Risks 4


Prepare for the General Data
Protection Regulation (GDPR).
The impending GDPR regulation, set to go into effect in May of 2018, is top of mind for
respondents with employees, customers or partners within Europe. The European data
privacy law will harmonize European data privacy laws to ensure that data transferred from
Europe to the US is appropriately handled and that personally identifiable information (PII)
remains secure.

Respondents recommended conducting an analysis of the law to understand how this will
impact current processes and systems.

Advice:
A B

“The company is developing a cross-functional “The company will focus on alternatives,


task force to evaluate the different options including implementing the model clauses,
supported by an external law firm.” which will be part of an overall third party risk
strategy.”

Benefit:
Understanding and acting in compliance with GDPR from the outset of implementation
can help your company avoid costly fines and reputational risk.

Advice from Counsel: Tackling Data Security Risks 5


Use your Migration
to Microsoft Office 365 as
an Opportunity.
According to a recent Gartner survey, 54% of organizations will move to
Office 365 in the next 1-3 years. The migration from one archive to
another provides an opportunity for an organization to take stock
of its email and data management practices and potentially update
policies and remediate data for greater efficiency and security. 54%
of organizations will
move to Office 365 in
the next 1-3 years.
From legal holds to data retention and security policies, respondents
in the process of migrating to Microsoft Office 365 shared how the
procedure provides an opportunity to make additional process and
policy improvements.

Advice:
A “storage
Office 365 has new encryption technology to protect data better. The use of cloud-based
for employees facilitates sharing, but opens up a new set of compliance standards and
requirements.

B “you
The company implemented a 90-day e-mail retention program along with Office 365 so if


do not manage your e-mail within 90 days, it is automatically deleted.

C “individual
Cloud e-mail in general has created information governance concerns, including expanded
storage, which has created concerns about over retention resulting in litigation
challenges, but there is better ability to search and manage the data, which is an advantage.
The cloud system has inherent vulnerabilities, but Microsoft is a trusted partner.

Benefit:
Take advantage of a company-wide migration to remediate old data and update
important policies and processes.

Advice from Counsel: Tackling Data Security Risks 6


Right-Size
Your Solutions.
Some organizations have faced major data breaches, regulatory investigations or large-scale
litigation that warrants a complete audit and update of existing processes and technology.
Other organizations may not have the same pressures, budget or appetite to make anything
other than small changes to key processes.

Respondents repeatedly stressed the importance of fine-tuning any information governance


and data security program to the particular needs of the organization.

Advice:
A B C

“make
Know your audience and
sure the program is
“Knowing the population of
people you serve personally,
“engage
The biggest thing is to
the business and
culturally adapted to the figuring out how to make make sure that what you
organization.
” compliance a value-added
part of their activities, and
are doing is right-sized for
the organization and that
fully understanding the you have the resources to
businesses that you support achieve success.


is key.

Benefit:
Information governance and data security have a greater chance of success if the program
is fine-tuned to the needs and culture of the organization.

Advice from Counsel: Tackling Data Security Risks 7


Data Security is a Multi-Faceted
Challenge and Requires a
Multi-Faceted Approach.
Given the complexities within the corporate data environment, there isn’t a silver bullet
technology, process or executive that can solve the immense problem of keeping data secure.

That said, respondents recommended a broad range of actions to ensure that an


organization’s people, processes and technology are all working in alignment to address
various internal and external threats.

Advice:
A “Encrypt data so that personally D "The ability to be prepared to take the
identifiable information is stored in necessary steps to protect customers
a protected environment and access when the data breach happens is as
is limited to those with positions that important as prevention; there is just as
require such access.” much liability created by a poor reaction
as by the fact that it happened in the
B “Some competitors pay ‘friendly hackers’ first place.”
to test their systems.”
E “Encourage a clean desk policy so that
C “Figure out how to get employees information is secured at the end of the
taking more training and determine day and personal information is not left
how to make the training message more publicly available in breach of a client’s
effective.” security request.”

Benefit:
The adage “hackers only need to get it right once, whereas organizations have to get it
right every time” is true, but implementing the right programs can help ensure better
security. This includes regular employee trainings, using outside third parties to test
your system, creating a tiered architecture to better secure sensitive information, and
developing a data breach response plan.

Advice from Counsel: Tackling Data Security Risks 8


Appendix
FTI Technology partnered with Ari Kaplan Advisors to conduct the study by interviewing 33 in-house
compliance leaders. Most participants were from Fortune 1000 corporations and all spoke by
telephone, under condition of anonymity, during November and December of 2015.

Of this year’s participants, 100 percent develop and implement compliance policies and processes,
while 78 percent select, implement, or manage information governance software and service providers.

Media
MediaMedia
Entertainment
Entertainment
Entertainment
Engineering
Engineering andarchitecture
architecture
and architecture
Engineering and
3% 3%
3% 3%
EnergyEnergy andutilities
and utilities
Energy and
3% 3%
utilities

Transportation
3%
3% 3%
Transportation
Transportation
3%
3% 3%
Security
Security
Security
3%
3% 3%
3%
3% 3%
Telecommunications
Telecommunications
Telecommunications
39%
39%
39%
6%
6%6%
Financial
Financial
Financial
services,
Survey
Survey
Survey
services,
services,
includingincluding
including
Participants
Participants
Participants banking banking
banking

6%
andcredit
credit
6%6% byIndustry*
Industry* and credit
and
Lifesciences
Life sciences
Life sciences by Industry*
by institutions,
institutions,
institutions,
as wellasas wellas
aswell as
insuranceinsurance
insurance
6%
6%6%
companies
companies
companies

Manufacturing
Manufacturing
Manufacturing

12%12%
12%
Retail
Retail Retail
12%12%
12%
Technology
Technology
Technology

hadannual
had total
had totalannual
total annual 24%24%
24%
revenues below fewer500
fewer fewer
than than500
than 500
revenues belowbelow
revenues
27%
employees
27%
27% $1billion
billion employees
employees
45%
$1 billion
$1
45%
45% 39%
had total
had total
had total 39%
39%
2014
annual 20142014 greater Number of
annualannual
revenues revenues Revenues
revenuesRevenues
Revenues
greater Number
greater
than
than than
of of
Number
Employees 18%18%
18% 1,000
1,000 1,000
to toto5,000
5,000 5,000
greater greater
greater 10,000 Employees
10,000
10,000 Employees employees
employees
employees
than $10 than$10
than $10 employees
employees
employees
billion
billionbillion
28%
28%
28% 9%
9%9%
revenues
hadannual
had total
had totalannual
total
revenues
between
revenues
annual
between
between
9% 500 to500
9%9% 500
999toto 999employees
employees
employees
999
$1billion
$1 billion
$1 billion
and and and
$5billion
billion 5,000
5,000 5,000
to toto10,000
10,000 10,000 employees
employees
employees
$5 billion
$5

Advice from Counsel: Tackling Data Security Risks 9


About Advice from Counsel
Through in-person events, virtual meetings, webcasts, surveys
and reports, Advice from Counsel helps e-discovery leaders share
ideas and advice with peers in an open and collaborative forum.
Begun in 2008 as an annual survey and report on top e-discovery
trends, Advice from Counsel has evolved into an interactive
community of e-discovery professionals working to strengthen
the people, process and technology at the core of e-discovery.
Advice from Counsel is sponsored by FTI Technology.

FTI Technology solves data-related business challenges,


with expertise in legal and regulatory matters.

As data grows in size and complexity, we help organizations better For more information:
govern, secure, find, analyze and rapidly make sense of information. ftitechsales@fticonsulting.com
www.ftitechnology.com
Innovative technology, expert services and tenacious problem-solving
North America: +1 (866) 454 3905
provide our global clients with defensible and repeatable solutions. Europe: +44 (0) 20 3727 1000
Organizations rely on us to root out fraud, maintain regulatory Australia: +61 (2) 9235 9300
compliance, reduce legal and IT costs, protect sensitive materials, Hong Kong: +852 3768 4500
Shanghai: +86 21 5108 8002
quickly find facts and harness organizational data to create business
Tokyo: +81 3 5369 3939
value. For more information, please visit www.ftitechnology.com.

© 2017 FTI Technology, LLC. FTI Technology is a business of FTI Consulting, Inc. FTI Consulting, Inc., including its subsidiaries and affiliates,
is a consulting firm and is not a certified public accounting firm or a law firm.
Identifying
& Protecting
the Corporate
Crown Jewels
By Jake Frazier, Senior Managing Director, FTI Technology
A
nyone who owns a Information Governance Reference Model (IGRM)
Linking duty + value to information asset = efficient, effective management
home understands
D GOVERNANC
UNIFIE
they need a way to
E

BUSINESS

safely protect their Profit

C Y I NT EGRAT
PO L I
family’s “crown jewels,”
I ON
VALUE
PRIVACY &

such as key documents, jewelry and Create, Use


SECURITY
Risk

irreplaceable photos, from theft,


DUTY ASSET
LEGAL
Hold, Retain Store,
Risk Discover Archive ecure
Secure

loss and catastrophe. Solving this


Dispose

problem is typically simple: buy a safe. Y


IT
T
PRO EEfficiency
fficiency
CESS ENC
Somewhat more complicated is the RIM
Risk
TRANSPAR

process of finding and determining


what to put in the safe. Should the title
to the car go in there? What about Duty: Legal obligation Value: Utility or Asset: Specific container
for specific information business purpose of of information
passports? If I wear my Rolex once a specific information

week, is it worth bothering to keep in


the safe the rest of the time? And those
Information Governance Reference Model / © 2012 / v3.0 / edrm.net

photos of my grandparents are in a box


in the attic somewhere; I really should cross-functional approach. It must
find them and put them in the safe. encompass information that would be
devastating to have stolen, but may
Similarly, every organization has a set also include data that needs to be
of crown jewels—information that is exempt from disposition and can’t be
critical, unique or irreplaceable. And destroyed, such as executive emails
much like at home, the most difficult under legal hold.
part of protecting them is not actually
the repository, it is determining what When identifying and protecting crown
information qualifies for this type of jewels, organizations must involve
protection, and finding it, and moving it many stakeholders, determine the
to a safer place. processes for keeping the data safe
and create procedures for removing
This is in part because no single information that has lost its value.
person or department can define With the right tools and technologies,
what constitutes the crown jewels. companies can keep their crown jewels
That requires a multidisciplinary, from being lost or stolen.

2/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
Categorizing
Critical Information
Data cannot be simply locked up and Crown jewels can be divided into several
shut away. If that happens, it becomes categories and can exist in multiple
useless. Think about heirloom jewelry. locations and different formats:
It was meant to be worn, but if it is
kept inaccessibly in a safe deposit box Information that
at a bank downtown, it cannot be. may not be
Similarly, paintings may be extremely destroyed
valuable, but storing them in a fireproof
warehouse makes them less enjoyable. Some information may need to be
carefully maintained, not because it has
At the same time, it is critical to intrinsic value but due to legal holds,
determine what type of information regulatory requirements and other
requires protecting. For example, reasons.
much like flammable household
products, some information may not This type of information can exist in many
be considered crown jewels, but can places within organizations, such as a file
quickly cause tremendous damage share, on an employee’s mobile device or
in the wrong hands. Sony Pictures on a hard drive. It must be protected from
Entertainment learned this lesson inadvertent destruction.
when it was hacked last year and lost
control of the Social Security numbers Some of these files may be old or exist
of workers who had long since left in legacy formats. When moved to a
the company.1 secure location, this type of data needs

1
“Sony Pictures Reaches Settlement in Hacking Lawsuit,” Los Angeles Times, September 2, 2015. http://www.latimes.com/entertainment/
envelope/cotown/la-et-ct-sony-hack-studio-reaches-agreement-to-settle-with-plaintiffs-20150902-story.html

3/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
to be handled carefully, so that none of to outsiders than the company itself, and
the metadata is altered. If no one at the therefore must be protected carefully.
organization knows what data exists and
where it is, companies can easily find Information that can
themselves with “dark data pools.” This be risky or dangerous
can include decades-old paper files or to keep in any hands
microfiche that are in storage.
Some information can cause significant
reputational risk if it isn’t protected. Other
Items of information can be very costly, particularly if
actual value it becomes potentially responsive in litigation.
This was also a factor in the Sony hack.
Like real precious jewels, some corporate
information is truly valuable. This can Many organizations are confronting a
include customer lists, formulas, intellectual relatively new problem, as their store of
property, schematics, pricing templates emails begins to stretch out for years
and other types of information that provide and even decades. This can include
competitive and strategic advantage. As emails sent and received by people who
in the Sony case, it can also include master left the organization a long time ago.
copies of intellectual property (e.g. films not If these old emails contain keywords
yet released). that have been identified as part of an
e-discovery collection, those emails will
end up in the document populations
Information that can that must be reviewed. No one who is
be risky or dangerous currently employed by the company may
in the wrong hands be familiar with the people or issues that
have triggered the review. The document
Some information must be kept private, reviewers may not be able to determine
regardless of its actual value. Employee if the emails are responsive, so they may
records are a good example of this, as need to produce them. Then the legal
are documents developed for regulators team has to answer questions about the
and documents that carry attorney-client emails. This can be enormously time-
privilege, or the Social Security numbers consuming and costly. It may also require
of the prior Sony employees. These companies to turn over meaningful
2
documents are likely much more valuable documents to adversaries.

2
“The Best Way to Use Data to Cut Costs? Delete It” CIO Insight, August 17, 2015.
http://www.cioinsight.com/it-strategy/big-data/slideshows/the-best-way-to-use-data-to-cut-costs-delete-it.html

4/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
By hanging on to information that is of The same tools that help organizations
no use, companies may also misallocate identify their crown jewels can also help find
information that is very valuable. It’s like documents that no longer have any value
buying an expensive sports car, and not and should be deleted. Valuable information
being able to park it in the garage because of should be stored under lock and key, while the
old furniture stored there. junk should be tossed out.

Valuable information
should be stored
under lock and key,
while the junk should
be tossed out.

5/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
Identifying
the Crown Jewels
Deciding what qualifies as a crown jewel or of groups that can overlap: information
one of the other important data types can subject to legal holds; records that must be
be challenging, even after defining what all retained to satisfy regulatory requirements;
the types are. For purposes of simplicity, in and data that contains business value.
this paper we will group all of the various Crown jewels can reside in any of these
types of important three circles. The rest
data under the crown is information that can
jewels moniker. When Information be deleted according
subject to legal
grouping data it is holds to the schedule
tempting to rely on the of the company’s
information technology records management
department, but Records program.
retained Data that
this is often not the to satisfy contains
regulatory business
best group to make requirements value Generally, three
this determination. different groups
(They will protect within companies
the information, but someone else needs should identify the information: the legal
to define what is important and worth department, the records management
protecting.) group and the businesspeople. But it’s
not necessary to form another committee
When figuring out who should identify and bring representatives from each group
the information that needs protecting, together to review every potential piece of
it can help to think of a Venn diagram. data. Instead, each group should be given
Crown jewels can be found in three types access to the underlying database where

6/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
the records are kept, with each group you may have all your jewelry in a single
having its own interface into the data. drawer at home, your customer lists may
For example, the legal group’s interface all be in the same electronic file on a
can help it manage drive shared by
legal holds the marketing
while records department.
management’s Each group should be given
interface assists it access to the underlying From a strategic
in tracking what value point
information must
database where the records of view, the
be retained for are kept, with each group businesspeople
which length of
having its own interface into should decide
time as part of how long
the company’s the data. information should
document be retained,
retention policies. based on the last
date it was accessed. In other words, if
One thing to keep in mind: important people are looking at the information, it
information is often kept together. Just as has value and should be retained.

7/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
0
10
90

80

20
70

30
40

Keeping
60
50

Information Safe
Once legal, records management and the who hoard valuable data and never release
businesspeople have determined what it into the company’s systems. Without a
and where their crown jewels are, it’s central repository to store the crown jewels,
time to develop the processes to keep important information may exist that no one
that data safe. In parallel with tracking has visibility into or can find.
which employees are placing information
in the central repository, it’s important to
begin training.
When considering the
When creating the repository for the crown process for securing
jewels, organizations may be tempted to critical information,
think of it similar to a home security system.
Companies generally focus on designing
organizations should
systems to keep out external threats. look for tools that
However, homes are at a much higher risk
protect against threats
from internal threats, such as housekeepers
and other employees. When considering like hackers, but they
the process for securing critical information, also need to figure out
organizations should look for tools that
protect against threats like hackers, but they
how to safeguard data
also need to figure out how to safeguard from those inside the
data from those inside the organization. organization.
These internal threats often come from
those who aren’t deliberately malicious, but

8/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
And such a repository must be much more From a change management standpoint,
sophisticated than a simple file share, which companies probably should not attempt
any one can access and copy or delete all of this at once, as employees will
files anytime. Rather, the central repository become overwhelmed, systems may fail
should have more granular security such as and momentum will be lost. The first step
authentication labels, different access tiers should be to report on which information
and permissions in order to better control is worth keeping, and then identify where
access. It also requires more sophisticated the information resides. Before deleting the
storage and back up protocols than a data, it should be moved to a secret place
standard file share. as a fallback, in case there are issues when
the new system is being instituted.
Creating an audit and reporting trail is
extremely important. When someone Once procedures are in place, the company
identifies information as a crown jewel, it should regularly review and tweak them
should automatically trigger a set of steps when necessary. More efficient processes
to identify and preserve that information. may be identified, new regulations regularly
Companies should also institute and maintain emerge and legal holds could close,
a hierarchy of important data, since not all allowing data to be deleted. However,
valuable information is equally valuable. For the technology itself should be extremely
example, information that falls under a legal flexible, with no limits to data that can be
hold should have the highest priority. classified as crown jewels.

9/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
Creating Repeatable
Processes Across Locations
All of this is challenging enough when knows when to skip files and when to
companies only have one office or review them. Indexing technology looks
location. With multiple locations, the for additions, deletions and changes to
process becomes much more complicated. files, and reindexes them every day. This
The terabytes and petabytes of data that enables a continuous process and keeps
companies today produce make it even rules static until needed. That results in a
harder to develop processes that are much smaller expense.
consistent and repeatable.

This is where technology comes in.


Companies should consider factors such as
using indexing rather than crawlers to find
crown jewels. With e-discovery collection
The terabytes and
tools such a crawlers, the technology goes petabytes of data that
to files, opens them up, reviews them and companies today produce
then moves on. If someone at the company
needs to revisit the file, the entire process
make it even harder to
has to begin all over again. Indexing develop processes that are
presents a much smarter approach. With
consistent and repeatable.
indexing technology, the system opens,
scrapes and maintains information in an
index, with a pointer to the file. (This is
how Google works.) If updates are made
to some files the next day, the system

10/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
Locking
the Safe
Once information is identified and company jewels. If companies aren’t
located, it is critical to secure it in the doing this already, they need to start
correct repository and otherwise continue before their most valuable possession are
to protect it. This includes ensuring stolen or lost. And if they need help, they
repositories are built on WORM (write must find it.
once, read many) storage, properly
migrating data from legacy archives to
cloud applications, having—and adhering
to—a policy for archiving emerging
data types, keeping messaging policies
The fact that companies
updated and developing a cloud strategy. may not have the technical
The fact that companies may not have the
or policy expertise
technical or policy expertise to properly
and cost-effectively manage all of these to properly and cost-
steps does not make them less important effectively manage all of
and there are third parties that can easily
these steps does not make
step in to help meet those challenges.
them less important.
This is where the rubber meets the road
and companies can see tangible results.
It’s also one of the ways that information
governance can be used to reduce cost
and risk in real-world environments,
by identifying and safeguarding the

11/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
About the Author
Jake Frazier

Jake Frazier is a Senior Managing Director at FTI Consulting


and is based in Houston. Mr. Frazier heads the Information
Governance & Compliance practice in the Technology
segment. Mr. Frazier assists legal, records, information
technology, and information security departments identify,
develop, evaluate and implement in-house electronic
discovery and information governance processes, programs
and solutions. These solutions are designed to produce the
largest return on investment while simultaneously reducing
risk.

12/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
July 2015

Why Data Deletion


Makes Sense
(and Dollars)

Jake Frazier
Senior Managing Director
Technology
Information Governance & Compliance
FTI Consulting
July 2015

Conventional wisdom says the cost of storing


data is declining. Conventional wisdom is right
... and wrong.

T
he price of disks has been country and even sometimes from state on all businesses — a hidden tax that
dropping for years. According to state. The cloud storage providers’ is ever increasing. However, this is a tax
to Gartner, the cost of business model typically assumes they that businesses can do something about.
disk storage per terabyte can move data freely from jurisdiction to They can delete a significant percentage
has been falling, too. jurisdiction — optimizing server capacity of their expensive-to-store data.
Additionally, distributed computing, and availability and, thereby, controlling
virtual machines and on-demand storage their own costs. Adding jurisdiction- Unfortunately, while everybody is storing
capacity that can be ramped up or specific requirements to a hosting more data, very few are deleting any. Call
down according to a business’ needs all contract often can increase the cost it data hoarding.
have combined to lower the total cost significantly.
of ownership (“TCO”) for storage. This
has led many business executives to In practice, with the rapid acceleration of Data Hoarding:
believe that the TCO for data storage will
continue to decline ad infinitum, allowing
the volume of data generated (all those
exabytes produced by the proliferation of
Sense and Nonsense
them to collect all the data they would sensors, tablets and smartphones) and Not all data that businesses collect
like to use to improve performance and the concomitant increase in the data that are useful. Indeed, as the enterprise’s
drive top-line revenues. businesses are storing, the total cost of haystack of data climbs ever higher,
data storage is not (despite conventional businesses often do not know what data
All this would be true if not for several wisdom) declining. How could it? they possess. Much of the information
inconvenient truths. Walmart, for example, handles more may be — and frequently is — junk, and
than a million customer transactions data analysts waste time working with
Market research firm IDC estimates that each hour and imports those this junk, finding spurious patterns within
the amount of all digital data created and transactions into a database estimated it, thus hindering the company’s decision-
consumed in 2012 was 2,837 exabytes. to contain more than 2.5 petabytes of making capabilities while incurring
(One exabyte equals a million terabytes.) data. needless costs.
And that number is forecast to double
every two years, reaching 40,000 exabytes Do the math. Why do businesses collect and store
by 2020. more data than they are able to process
If a hypothetical company stores one and use? One reason is Big Data hype
Meanwhile, ICT Analytics reports that petabyte of data this year, it will store 1.45 and the vague belief that more is better
the amount of data being stored is petabytes next year. — that somewhere in that ever-growing
increasing, on average, 45 percent haystack is a golden needle that will
annually. In fact, storage is the fastest If the cost to store data drops 15 percent produce new insight and generate
growing cost within the enterprise data a year (or even 30 percent at the high additional revenues. This, however, is not
center. end) while volume grows 40 percent, it’s a business strategy; it is a business wish.
easy to see that the conventional wisdom
But, one asks, what about the cloud? that the total cost of storage is declining Another reason businesses store
Doesn’t cloud computing permit is wrong. And this simple calculation data is fear of the possible legal
businesses to outsource storage to does not include ancillary storage costs consequences that may arise from
providers at a fraction of the cost of a such as staffing; data backup; and deleting information. U.S. Securities
proprietary data center? confirmation that the data collected are and Exchange Commission regulations,
accurate, useful and clean. for instance, demand that brokers
Yes it does for some types of data. But and dealers retain all client account
it gets complicated for critical data. This growth in storage and its information for six years and copies
Data privacy laws vary by industry, by management is placing a growing burden of all reports requested or required by

2
July 2015

regulators for three years. Regulations of data to lose. Recent high-profile they levy on a company’s resources —
such as these encourage data hoarding, data breaches at various retail and are not an information technology (“IT”)
as many businesses believe that in the entertainment companies have made problem; they are a business problem.
current rigorous regulatory environment, public enormous troves of data.
it is safer to keep everything and delete To attack the junk data issue, businesses
nothing. There is, in effect, no obvious Breaches are expensive. According to must take a holistic view of the challenge,
incentive to delete, and underpreserving a recent Ponemon Institute study, the working across functions. That includes
creates risk if data later are deemed average total cost to an organization of a the chief information officer and the
critical or discoverable. Recognizing this data breach in 2014 was $5.85 million. chief financial officer, as well as the
growing problem, and the potentially company’s Legal, Compliance and
unreasonable persistence of data, That’s real money. Security departments. Working together,
some European states have proactive the company can determine what data
deletion policies, especially in cases And today, even smaller companies it needs to store and what data it can
such as employee performance reviews are collecting — and storing — an ever delete. The return on investment (“ROI”)
and disciplinary actions. According to higher volume of data as smartphones of deletion will become visible to the
the European Union Advisory Board make data more available to businesses. business as it begins to understand the
on Data Protection and Privacy, “The Almost all retail sectors are seeing extent of the resources needed to secure
annual assessment of a worker contains enormous growth in smartphone that data.
information regarding a concrete date purchase conversion. According to
and a given contact. After some years, Cisco’s Visual Networking Index forecast, This is known as information governance.
there is no reason in principle to store the global information processing traffic Good information governance requires
information regarding such evaluations. will grow at a compound annual growth creating a map of information assets
Therefore, the retention period should be rate of 20+ percent from 2013 to 2018, across the business units, including cloud
limited to two or three years maximum with over half of that coming from applications. This is the first step toward
after the evaluation.” non-personal computer devices. All this accurately classifying and categorizing
collected data attract hackers and other data and allows a comprehensive
In litigation, U.S. courts instruct juries criminals, as personal credit information assessment of which assets should be
to place a negative inference on the (which either can be used or sold) retained and which can be deleted.
absence of relevant data such as emails, becomes more available and accessible.
thereby encouraging businesses to store Developing defensible statistical
everything in the event there ever is a Businesses can attempt to secure their sampling protocols can help businesses
request to produce information in the data — as they should — but recent reduce large amounts of stored media.
discovery phase of a lawsuit or trial. history indicates there’s no guarantee Indexing and machine analysis of backup
However, that court mandate applies they can do so successfully. The simplest media can pinpoint what data should be
only if there was a duty to preserve the solution to the risk and expense of preserved and what can be deleted.
data in the first place. Unfortunately, that collecting and storing too much data is
duty rarely is defined before a case is deleting the data not needed. Trying to delete large quantities of data
brought, and overpreserving, and failing manually is difficult and expensive; it is a
to remediate backup materials, results in
additional costs when there is a request Getting Rid of
to produce, as attorneys or e-discovery
providers must spend time reviewing a
Junk Data Requires
greater quantity of material. Information
The hours add up. Governance
A 2012 RAND study found the cost Storing data that businesses don’t
to review one gigabyte of data was have to keep ends up absorbing capital
$18,000. Of course, improvements that otherwise could be deployed on
in e-discovery and predictive coding operations or investments or return on
technologies can reduce those costs, but, capital. If a business chooses to reduce
again, as volume increases, those savings spending by cutting budget or laying
can be devoured. off workers, in effect, it has (perhaps
unknowingly) chosen data — much
Volume is key and creates its own risks. of which may be junk — over working
For one thing, if more data are stored, capital and productive employees. It,
there, obviously, is a greater amount therefore, is important to understand
that junk data — and the attendant tax

3
July 2015

process that begs to be automated. This In another instance, a top-tier financial and these factors often discourage
means establishing machine rules that institution was able to get rid of useless deletion. It necessitates someone with
mandate the deletion of unnecessary and log files (records of requests to servers appropriate perspective and seniority to
vulnerable duplicates. These are created saved to hard drives, including those see across the business’ fiefdoms and
when multiple copies of documents or created during system installations) that work with Legal, Compliance, Security, IT
files are downloaded to often-insecure were stored in the depths of its IT system and the business units to implement an
devices or when individuals email files to and provided no value whatsoever. information governance plan and begin
themselves. It has been estimated that Working with FTI Consulting, the bank deleting junk data. This is why, in the long
in a number of companies, duplicated was able to delete hundreds of useless run, information governance efforts have
files represent 20 percent to 40 percent terabytes of data. At a cost to store of to be led from the top.
of the data. Reducing duplication is $3.20 a terabyte, the company saved over
a good thing. It improves operational
efficiency, as duplicate data drive up data
$600,000 in the first year and more than
$3 million over five years. No End to the
volume while slowing processing times
and hampering business agility. Deleting Another financial institution was sending
Data Deluge
duplicate data also decreases legal thousands of backup tapes every As smartphone adoption and use
review costs as attorneys no longer have month to an information management increase, the digital universe will continue
to examine repetitious documents. Good services company. Although the cost of to grow. Right now, digital’s size beggars
information governance is an investment storing tapes isn’t large, the software the imagination. In a few years, it will
with an immediate and long-term ROI. that makes the tapes must be licensed defy it. Unless businesses begin deleting
from a software provider — a recurring data they don’t have to have access to
For example, in 2014, multinational and perpetual expense. Reducing the at the moment, they will jeopardize the
metals and mining company Rio Tinto, number of tapes and licenses translated technological, financial and operational
which was generating a rapidly growing to impressive savings for the firm. resources available to collect, process
volume of data, identified approximately and analyze the torrent of incoming
40 percent of its stored data as junk
or, in the words of its head of global Of Course, No One data they will need later on. This may
place them at a future competitive
business services, “eligible for defensible
destruction.”
Said It Would be Easy disadvantage while increasing the
financial and legal risks currently being
In many businesses, data storage is faced.
Acknowledging that Rio Tinto, like most considered an IT issue, and if IT tells
large companies, is not good at “hitting a business unit leader that it wants to Deleting data is not really about saving
the delete key,” the executive said the delete the unit’s data, there’s generally money; it is about not wasting money
company saw “a strong ongoing business pushback. After all, the data belong to the and spending it, instead, on initiatives
case” for lowering storage costs “while business unit, not to IT, and maybe, just and innovations that drive revenues.
strengthening our overall information maybe, the information is valuable.
governance across Rio Tinto.” Deleting data, and the information
Even when an enterprise recognizes that governance processes that enable
It has been estimated that Rio Tinto it has a data retention problem, business- enterprises to do so safely and securely,
immediately saved $8 million simply by level views do not always align. The issue is just good — and logical — business.
eliminating 35 percent of the file shares in is that each business function considers
its network. data differently. Various functions have
unique needs, requirements and targets,

Jake Frazier
Senior Managing Director
Technology
Information Governance & Compliance
FTI Consulting
jake.frazier@fticonsulting.com

For more information and an online version of


this article, visit ftijournal.com.

The views expressed in this article are those of the author and not necessarily © 2015 FTI Consulting, Inc. All rights reserved.
those of FTI Consulting, Inc. or its other professionals. 4
Technology Segment Information Governance Toolkit

www.ftitechnology.com North America +1 (866) 454 3905 Australia +61 (2) 9235 9300
ftitechsales@fticonsulting.com Europe +44 (0) 3727 1000
Hong Kong +852 3768 4584

About FTI Consulting


FTI Consulting, Inc. is a global business advisory firm dedicated to helping organizations protect and enhance enterprise
value in an increasingly complex legal, regulatory and economic environment. FTI Consulting professionals, who are located in all major
business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges in

areas such as investigations, litigation, mergers and acquisitions, regulatory issues, reputation management and restructuring.

www.fticonsulting.com

You might also like