Professional Documents
Culture Documents
Governance
Toolkit
Table of Contents
AR T I C LE
AR T I C LE
AR T I C LE
AR T I C LE
9 How to Safeguard the Crown Jewels in the Age of Information Security Threats
By Jake Frazier, FTI Technology
AR T I C LE
WH I T E PAPE R
WH I T E PAPE R
AR T I C LE
achieve their range of unique goals quickly and grow in scope (and ROI) include creating urgency, clearly
through the implementation of a over time. communicating the vision, iden-
single IG effort. But before creating a The corporation’s existing risk tifying and eliminating obstacles,
laundry list of needs, the team must framework, which prioritizes the setting short-term realistic goals
work together to understand the organization’s highest risks, such that foster a sense of achieve-
confines of the internal landscape, as regulatory/sanctions, reputa- ment among those involved, and
such as the corporate culture as it tional, etc., can help the team eval- making changes permanent by
relates to risk and changing business uate which risk categories IG will solidifying adoption and address-
processes. impact, and make a business case ing opposition head-on.
By evaluating each group’s vary- for IG investments that can miti- When in-house counsel work
ing motivators through the lens of gate key risks without becoming strategically with the IT and records
the company’s culture, stakehold- financially prohibitive. This busi- departments, they can make a huge
ers can begin to understand the ness case should also take into impact in implementing technology
‘gives’ and ‘gets’ involved in build- consideration the cost avoidance to enforce and support the policy
ing new policies and implement- of possible penalties for failing to and track company-wide compli-
ing new technology. During these comply with various regulations ance thereof. Establishing a cross-
discussions, stakeholders should in any region where the company functional team to spearhead these
come to the table prepared with does business. issues with executive sponsorship
a risk analysis and ROI calculations • Change Management: In IG, is the critical first step in the right
for proposed projects. the course of changing business direction. Part 2 of this article—
• Executive Sponsorship: An IG processes should be rooted in com- "Achieving Information Governance
project simply cannot be success- pliance. Change is difficult for many Enforcement: Ensuring Policies
fully implemented—or enforced— people and becomes exponentially Aren’t Left to Collect Dust"—will out-
without C-level involvement. The key more so in large organizations line additional best practices that
to gaining their buy-in is communi- where a wide range of varying pri- lead to IG enforcement and prevent
cating the program’s benefits that orities and personality types exist. important policies from falling to the
will specifically address their pain Understanding how to effectively wayside.
points. If the executive sponsor is manage and enable change—and
the general counsel, building the risk approaching it as a journey—is T. Sean Kelly is a senior director
case for that person is critical—this essential for anyone looking to within FTI Technology’s information
includes the risk of not disposing drive IG. Legal and compliance governance & compliance services
of data that has met its retention departments have the opportunity practice.
requirement, and is not subject to to help their IG cohorts and the
legal hold. If sponsorship is solicited rest of the organization understand
from the CIO or another IT leader, the fundamental legal and regula-
they may be more likely to embrace tory drivers behind the proposed
a project that addresses data mini- changes.
mization and defensible disposal. One of the most widely
Business leaders or board members accepted methods for imple-
will be more focused on the costs menting change management is
and overall impact to the bottom line the Kotter 8-Step Change Model,
and mitigated risk. Quantify what the which was developed to help
business will save in the long run, the organizations become adept at
risks involved and how those risks progress. Some of the key tenets Reprinted with permission from the March 3, 2017 edition of
Corporate Counsel © 2017 ALM Media Properties, LLC. This
will be mitigated. Generally, starting of this model, which will help article appears online only. All rights reserved. Further duplication
without permission is prohibited. For information, contact 877-257-
with small projects can show value with managing data challenges, 3382 or reprints@alm.com. # 016-03-17-08
corpcounsel.com | March 6, 2017
at this stage, as they are able to the biggest impact in achieving and rocesses been executed. Essentially,
p
help the internal teams outline the maintaining IG enforcement. Robust the legal team was facing the bur-
critical components of the program, monitoring capabilities will enable den to produce data that would have
develop audience specific training the IG sponsor to see when legal been defensibly disposed of had end-
materials, identify what users will holds—or other policies—are not users complied with existing IG poli-
need to be trained on and deter- being acknowledged and escalate cies. By enforcing legal hold through
mine what the depth of that training the issue to promote and enforce a specific tool, and integrating it into
should be. adoption of the processes. their compliance and IT programs,
Training should not be out of Another important consider- the legal team was able to ensure that
the box from software providers, ation is the existing data structure data could be defensibly and auto-
nor should it necessarily be the and overall IT infrastructure. For matically deleted as soon as it was
same for everyone in the organi- example, when an organization’s no longer subject to legal hold or any
zation. Training collateral should data is all on shared drives, solu- individual’s retention schedule.
be tailored to the organization’s tions must have the appropriate The ability to automate IG as
unique needs and show users plug-ins to integrate with systems much as possible, and track compli-
what the new policies look like impacted. It is also important to ance across the company is abso-
within the context of their work consider how to automate dele- lutely critical in achieving ROI from
environment. For example, for tion of data that is not subject to the precious time and resources that
legal hold projects, it is important the established retention sched- are invested in building out these
to establish if users understand ule, and strategically define when/ programs. Ultimately, it is up to the
which records and individuals how the organization stores its collaborative team of stakeholders
may be subject to legal hold vs. data. Having a set of clear goals to ensure that training and change
which won’t. It’s also useful to at the forefront when evaluating management are addressed in a stra-
build a dedicated page available technology will go a long way tegic and thorough way, and that
to all internal users that offers in ensuring that the team is ask- technology solutions are selected
reference guides and FAQs dedi- ing the right questions during the based on the organization’s unique
cated to explaining new policies purchasing process. and diverse needs. These important
and tools that are being used. Tools that are offered as part of steps will promote IG wins and make
• Strategic Technology Imple- a broad suite of offerings typically it possible for the team to measure
mentation: Every technology evalu- do not have the sophistication to long-term adoption and success.
ation that impacts the company’s make sure nothing falls through
data in any way should involve the the cracks. Best-in-class products T. Sean Kelly is a senior director
legal and/or e-discovery team, in that are purpose built for the one within FTI Technology’s information
addition to records, IT and compli- thing needed—such as legal hold governance & compliance services
ance. This is particularly important or document and revision man- practice.
when it comes to legal hold imple- agement—will be more success-
mentations. The process should start ful in doing a thorough job and
with clear goals for the project, such successfully integrating with exist-
as, thoroughly retaining data for any ing systems.
custodians that are under legal hold, A technology evaluation under-
monitoring activity per compliance taken by a large manufacturing com-
requirements and escalating events pany serves as an example of one
of non-compliance to stakeholders. that was done really well. The com-
The most critical feature a product pany was liable for claims that oth- Reprinted with permission from the March 6, 2017 edition of
Corporate Counsel © 2017 ALM Media Properties, LLC. This
should offer is the ability to moni- erwise could have been mitigated article appears online only. All rights reserved. Further duplication
without permission is prohibited. For information, contact 877-257-
tor and flag activity—this will make had the organization’s data deletion 3382 or reprints@alm.com. # 016-03-17-09
BEST PRACTICES Skills You Need To Climb the Mountain of Data Challenges
e-discovery and other data-related costs. Knowing how operating in critical sectors to satisfy wide-reaching related disciplines in e-discovery,
records management, archiving and
to achieve budget predictability is a critical skill that incident reporting obligations. This, coupled with the
storage optimization. Contact her at
can have a lasting effect on the success of any matter. General Data Protection Regulation (GDPR), which sonia.cheng@fticonsulting.com.
As the industry matures, more lawyers are turning to allows fines of €20m or four percent of global turnover,
master service agreements to negotiate alternative is a reminder to global organizations that they need to
billing models and achieve greater budget predictability. evaluate their obligations and take steps to be ready
Another way to control budgets is to recognize when regulations come into force.
the ways technology can affect the time and cost of a
project. Sophisticated legal teams are using analytics Skills To Climb the Mountain
and predictive coding to identify sensitive information We continue to see that the rapid evolution across the
for IG purposes or to uncover key facts for legal or legal industry is being met with flexibility, creativity
regulatory matters. This helps reduce the time spent and innovation. Legal teams are acting nimbly in a This article was first
wading through large volumes of information, reducing changing environment and are working diligently published in ILTA’s Winter
overall costs. to stay in front of data disasters. The successes — 2016 issue of Peer to
Peer titled “Profesional
A solid grasp on technology capabilities and and the failures –– we read about in the headlines
Development: Sharpen Your
limitations. Technology provides a variety of solutions are shaping best practices for data security, IG and
Skills” and is reprinted here
to assist in getting data under control. When kicking technology implementation. By building the skills and
with permission. For more
off any initiative to address data security, remediation, knowledge outlined above, practitioners will be better
information about ILTA, visit
preservation optimization or modernizing storage, the equipped to climb the mountain of never-ending data www.iltanet.org.
wise professional will become educated on the range challenges. P2P
In the last two years, data breaches and employees, and fulfilling the workforce, and hacking are the three
have plagued organizations across responsibility for protecting the causes for most breaches. Below is an
every industry and in the public sector, sensitive information of customers overview of each of these areas, which
including Ashley Madison, the IRS, and employees; is the first step in helping counsel un-
BlueCross BlueShield, CVS, Experian, ■■
Securing sensitive company IP; derstand exactly where security events
Army National Guard, Sony Pictures, ■■
Creating a tiered security network originate.
and many more. As technology evolves to protect against cyber security
and security risks rise, lawyers are con- threats; and, Employee negligence
fronted with an increasing challenge to ■■
Developing protocols and systems According to the Ponemon Global
satisfy their ethical duties of compe- to ensure secure access to the Cost of Data Breach study, breaches
tence and confidentiality, making the network by partners and other attributable to employee negligence
issue of securing data and mitigating approved third parties. rose by 72.7 percent between 2012
breaches increasingly severe. and 2013. The ACC Foundation’s The
This article will explore data breach- The parsing of “data security” into State of Cybersecurity Report: An In-
es in detail, discussing how counsel can these buckets can help organizations house Perspective found that in 2015,
respond to these events, and outlining take a large challenge — protecting employee error was the leading cause
practical ways to implement a tiered the organization’s data from internal for data breaches. This type of breach
approach to securing a company’s and external threats — and channel- happens when employees acciden-
crown jewels. ing it into initiatives that are smaller, tally download malware, fall victim to
The recent Advice from Counsel more focused, and easier to accom- hacker schemes, or inadvertently email
(AFC) study, which examines practices plish. Protecting customers’ credit confidential information to the wrong
within Fortune 1000 legal depart- card information, for example, may contact, among other actions. It’s im-
ments, found that 76 percent of require different technology and pro- portant for counsel to be aware of this
respondents have information gover- cesses than authenticating the identity risk, and work with other information
nance programs — dedicated staff and of employees trying to access the governance (IG) stakeholders within
budget — and that data security is the company’s intellectual property. the organization to manage employees
number one driver for these programs. Depending on the industry and its and ensure they understand their role
Similarly, an article in Bloomberg regulations, a company’s crown jewels in maintaining data security.
Businessweek cited insider threats, both can include customer credit card re- The 2010 breach of employee log-in
intentional and accidental, as the big- cords, salesforce client lists, proprietary credentials and other data at Business
gest concern for more than 70 percent IP, and employee or patient health Wire serves as a prime example of
of information security managers. information. Whatever a company employee negligence resulting in
However, the initiatives cited in the considers its most valuable or sensitive compromised security. In this case, a
AFC study ranged across 30 different data, the steps for securing that data Ukrainian hacker penetrated Business
focus areas, including data security, through information governance are Wire and other newswire compa-
efficient records retention, data analyt- the same. nies using a tactic known as spear
ics, and data optimization for litigation phishing. The hacker sent emails
needs, underscoring the challenge Origins of security leaks to employees that appeared to be
organizations often face with informa- Understanding the root of most legitimate. When employees clicked
tion governance. How can in-house data breaches is critical to preven- on the email, however, hackers then
counsel implement programs that are tion. Employee negligence, a mobile gained access to the entire company’s
continually improving and holistically
addressing all major data challenges,
while simultaneously resulting in tan- Jennie McQuade is the chief privacy officer and chief legal counsel for Swisslog Healthcare, a
gible benefits? member of KUKA Group, a global supplier of intelligent automation solutions. The view expressed
In looking at information gover- in this article are of the author’s and not necessarily of Swisslog or KUKA Group.
nance for data security specifically, jennie.mcquade@swisslog.com
AFC study respondents identified four
key areas: Jake Frazier is a senior managing director of FTI Consulting, based in Houston, TX. He heads the
■■
Securing sensitive personally information governance and compliance practice in the technology segment, and helps identify,
identifiable information (PII) develop, evaluate, and implement in-house e-discovery and information governance processes,
for clients/customers, patients programs, and solutions. jake.frazier@fticonsulting.com
ACC Docket Cybersecurity: How to Prepare Top Ten ACC HAS MORE MATERIAL
A Crash Course in Data- for and Respond to Cyber Top Ten Tech Tips for ON THIS SUBJECT ON OUR
WEBSITE. VISIT WWW.ACC.COM,
Security Regulation and Attacks (March 2014). www. Corporate Lawyers (May 2016).
WHERE YOU CAN BROWSE OUR
Litigation (Sept. 2015). www. accdocket.com/articles/resource. www.acc.com/legalresources/
RESOURCES BY PRACTICE AREA
accdocket.com/articles/resource. cfm?show=1360853 publications/topten/top-10-tech- OR SEARCH BY KEYWORD.
cfm?show=1408874 tips-for-corporate-lawyers.cfm
QuickCounsel
Cybersecurity — Emerging Cybersecuirty Failures and Cyber Insurance Policies: Top 10
Trends and Regulatory Resulting Liability Issues Questions Your Business Should
Guidance (May 2015). www. (April 2016). www.acc.com/ Ask When Considering a Policy
accdocket.com/articles/resource. legalresources/quickcounsel/ (Nov. 2015). www.acc.com/
cfm?show=1398885 cybersecurity.cfm legalresources/publications/
topten/cyber-insurance-policies-
top-10-questions.cfm
encryption security event information them in repositories with security provi- that the hackers got access to as a
management systems, etc.,” he says. sions and data backup options. result of securing passwords and con-
“But as we’ve seen for the most part, “That’s definitely one of our most pop- fidential information.”
that is not sufficient, people will get in ular engagements right now,” Frazier But as Terrence Coan, senior direc-
one way or another, so the problem is says. He adds that in previous client tor in the Law Firm Advisory practice
once they get in through a backdoor engagements, “we were looking at the at HBR Consulting explains, when it
or over the fortress wall, then they can transactional data that had to do with comes to delegating file access, the
just run amok.” account setup, and account numbers, legal industry is ahead of the game.
things like that,” in which to create “a “Law firms are obviously very orga-
Triage and Mirage tiered approach where critical, private nized around client and matter, so
But this can only happen if data is out data goes off to other repositories that there’s an implied hierarchy; if I know
in the open for cyberattacks to exploit. are much more secure, and your trans- who is authorized to access a client
Paramount to any data breach prepara- actional data stays behind.” matter, then when I file documents
tion is the golden rule of any information While these repositories can have the into the system by that client and mat-
governance program: knowing where usual layers of security such as “requir- ter, the system applies the appropriate
sensitive data resides. Yet this, of ing stronger passwords and dual factor security to the matter team or to those
course, is much easier said than done. authentication,” Frazier notes that they who have reason or right to know.
“The key to a good IG policy,” explains can also provide “data masking.” Yet like any company in 21st cen-
Farid Vij, lead information governance This entails scrambling data to tury, law firms are also at the mercy
specialist at ZL Technologies, “is hav- create invalid credit card or Social of file shares, which while increasing
ing a complete understanding of your Security numbers. These work as employee efficiency and collabora-
data at all times so that you can be decoys to cyberattackers, while allow- tion, potentially leave valuable data
in a proactive position during a data ing developers to build and test apps unsecured and accessible to all.
breach, which is the biggest challenge using the information as well. Frazier calls file shares “one of
for enterprises today. There’s simply the least secure areas in a network,
too much data.” Careful Sharing because it doesn’t have really rigid
Thankfully, however, data breach Equally as important and valuable permissions. There are a lot of permis-
preparedness doesn’t require an all- in data breach preparedness is con- sion profiles on file shares that we see
or-nothing approach. trolling user access rights to these called ‘everyone,’ which means anyone
“This isn’t about creating a basic data repositories. who is in the network can just navigate
map; today, we have to get down to the “The key challenge with these to the file shares and have access.”
content level of the document to iden- breaches is often figuring out what He adds that such areas have been
tify things like personally identifiable data has actually been compromised used as “dumping grounds,” where
information, personal health informa- and ironically, most organizations in a recent engagement with a client,
tion, and payment card information.” don’t know where to start,” says Vij. Frazier and his team found “a few
What this comes down to is extracting “Take Sony, for example. The majority petabytes of data.” Such fileshares,
the most sensitive information among of the risk and cost associated with he notes, can include “HR records,
the daily network traffic and regularly the cyberattack was not the data that compensation statements, customer
created or obtained files, and placing was directly hacked, but all the data records, and permission forms to set
May 31, 2016
up direct deposits with routing num- “But in the end,” says Coan, “it And more important, Fraizer notes,
bers and account numbers, and all often comes down to users having to training works: “We find ultimately that
kinds of really risky data.” interact with the data to have context through education and awareness,
But like a potentially unsecure data- to what the data is saying. If they people do get better about how or when
base, Coan says, file shares can be have personal experience with it, they they use shadow IT such as cloud stor-
an easy fix. “We may lock those down can then make an informed decision age, or that they are more rigorous
and prevent people from filing to those where it goes.” around defining who can access it and
locations going forward. While we may Admittedly, it can be difficult to making sure that there are controls to
not delete the materials currently filed trust employees — after all, the rise minimize unrestricted access by some-
there immediately, we tell users that of shadow IT, fileshares, and poor body who shouldn’t have it.”
these locations are not an appropriate digital hygiene have made insider When developing a data breach pre-
place to file materials, and if they do file threats more probable than external paredness plan, he adds, companies
materials on a network file share, we breaches. must also be careful not to set employ-
are going to purge them automatically But employees will always remain ees up for failure by encouraging them
within a defined period of time.” central to breach preparedness and towards shadow IT or other risky tech
must be kept up to speed through behavior.
Of Man or Machine? constant training, Coan advises. “In a breach, when systems start
While breach preparedness seems “It’s always more going to be a situ- getting shut down, knowledge work-
simple in theory, execution may be a ation that they don’t train enough. And ers have pressure to get their jobs
whole other story. that’s because they can’t or don’t get done. If all of a sudden emails are not
“On almost every engagement, I’m the budget to do the necessary train- working because there’s a breach, it’s
asked by the clients, do you believe ing and education. … There has to not unlikely that you’ll see users using
in a human approach where users are be ongoing and routine training, there Yahoo, Gmail, Dropbox, Google Drive
going to classify the data and put it in needs to be training for new employ- and really anything they can get their
the right spot, or do you believe in a ees who are brought into the organi- hands on to continue to do their job.”
more automated scanning approach? zation, and there has to be refresher Companies, Frazier says, need to
And my answer is always yes — both,” training of the entire employee popu- let “users know if there’s a breach,
Frazier says. “So it’s always a belt and lation on some periodic basis. For don’t go using other systems, and your
suspenders approach that works best.” example, every year or every couple manager will take into account any lost
Using scanning and AI technology of years, just to remind people about time due to this breach —an escape
even on computers not connected to the why this is important, why we are valve, so that the day-to-day pressure
network, he adds, can allow companies doing it and what we are expecting is alleviated a little bit while the breach
to find, move or lock down critical files. people to do.” remediation is happening.”
Reprinted with permission from the May 31, 2016 edition of Law.COM © 2016 ALM Media Properties, LLC. This article appears online only. All rights reserved. Further duplication without permission
is prohibited. For information, contact 877-257-3382 or reprints@alm.com. # 087-06-16-02
Tackling
Data Security
Risks
Data breaches. Employee fraud. Regulatory change.
These headline-grabbing business challenges are keeping many legal, information
security, IT and compliance departments up at night. Organizations are challenged to
support the modern workplace environment – mobile phones, remote employees, cloud
collaboration sites, social media, IM platforms and chatrooms – while keeping this data
secure and easily retrievable for legal or regulatory needs. How can organizations create
an information governance framework that protects data while staying adaptive to the
rapidly evolving business landscape (GDPR, Brexit, Privacy Shield, etc.)?
© 2017 FTI Technology, LLC. FTI Technology is a business of FTI Consulting, Inc. FTI Consulting, Inc., including its subsidiaries and affiliates,
is a consulting firm and is not a certified public accounting firm or a law firm.
W
e asked this question of 33 information security, risk, legal, IT and
compliance executives, most of whom work at Fortune 1000 companies
with responsibilities that include anti-fraud, data privacy, regulatory
compliance, information governance and other risk management activities.
Start with a
Data Assessment.
For many, the process of beginning an information governance program can be daunting.
Where do you begin? Who should be involved? How do you ensure the right executive
buy-in? How do you keep momentum going?
To help answer these questions and focus the project, a third of respondents recommended
conducting a data assessment at the outset.
Advice:
A B C
“assessment
Conduct a baseline
without any
“and
Start with an assessment
determine what is
“should
That risk assessment
drive where you need
assumptions and understand already being managed;
”
to focus your efforts.
the company’s culture.
” since you cannot boil the
ocean, you need to figure
out where to start and
where you need to go.
”
Benefit:
Have a clear roadmap that will help you prioritize projects.
Advice:
A B C
“island,
If it is just you on an
you will not succeed;
“ Hire someone with a good
deep knowledge of technical
“ You need to ask someone
and figure out what others
tap into industry analysts implementation and crafting are doing; engage a full
and thought leaders for
guidance since you cannot
”
policy. cross-section of business
personnel beyond senior
do it alone.
” leadership.
”
Benefit:
Subject matter experts can ensure your program is up-to-date, and internal leaders can
aid in company adoption of best practices.
Advice:
A B
“liability
Data has a lifecycle and represents a huge
today. At the end of its useful life, a
“isThe most important data held in Salesforce
not that substantial, but shared folders are
company needs to purge it to promote an filled with significantly more data. The key
environment of data minimization.
” data is not that substantial.
”
Benefit:
Less data means lower storage costs and the ability to focus on protecting sensitive
information.
Respondents recommended conducting an analysis of the law to understand how this will
impact current processes and systems.
Advice:
A B
Benefit:
Understanding and acting in compliance with GDPR from the outset of implementation
can help your company avoid costly fines and reputational risk.
Advice:
A “storage
Office 365 has new encryption technology to protect data better. The use of cloud-based
for employees facilitates sharing, but opens up a new set of compliance standards and
requirements.
”
B “you
The company implemented a 90-day e-mail retention program along with Office 365 so if
”
do not manage your e-mail within 90 days, it is automatically deleted.
C “individual
Cloud e-mail in general has created information governance concerns, including expanded
storage, which has created concerns about over retention resulting in litigation
challenges, but there is better ability to search and manage the data, which is an advantage.
The cloud system has inherent vulnerabilities, but Microsoft is a trusted partner.
”
Benefit:
Take advantage of a company-wide migration to remediate old data and update
important policies and processes.
Advice:
A B C
“make
Know your audience and
sure the program is
“Knowing the population of
people you serve personally,
“engage
The biggest thing is to
the business and
culturally adapted to the figuring out how to make make sure that what you
organization.
” compliance a value-added
part of their activities, and
are doing is right-sized for
the organization and that
fully understanding the you have the resources to
businesses that you support achieve success.
”
”
is key.
Benefit:
Information governance and data security have a greater chance of success if the program
is fine-tuned to the needs and culture of the organization.
Advice:
A “Encrypt data so that personally D "The ability to be prepared to take the
identifiable information is stored in necessary steps to protect customers
a protected environment and access when the data breach happens is as
is limited to those with positions that important as prevention; there is just as
require such access.” much liability created by a poor reaction
as by the fact that it happened in the
B “Some competitors pay ‘friendly hackers’ first place.”
to test their systems.”
E “Encourage a clean desk policy so that
C “Figure out how to get employees information is secured at the end of the
taking more training and determine day and personal information is not left
how to make the training message more publicly available in breach of a client’s
effective.” security request.”
Benefit:
The adage “hackers only need to get it right once, whereas organizations have to get it
right every time” is true, but implementing the right programs can help ensure better
security. This includes regular employee trainings, using outside third parties to test
your system, creating a tiered architecture to better secure sensitive information, and
developing a data breach response plan.
Of this year’s participants, 100 percent develop and implement compliance policies and processes,
while 78 percent select, implement, or manage information governance software and service providers.
Media
MediaMedia
Entertainment
Entertainment
Entertainment
Engineering
Engineering andarchitecture
architecture
and architecture
Engineering and
3% 3%
3% 3%
EnergyEnergy andutilities
and utilities
Energy and
3% 3%
utilities
Transportation
3%
3% 3%
Transportation
Transportation
3%
3% 3%
Security
Security
Security
3%
3% 3%
3%
3% 3%
Telecommunications
Telecommunications
Telecommunications
39%
39%
39%
6%
6%6%
Financial
Financial
Financial
services,
Survey
Survey
Survey
services,
services,
includingincluding
including
Participants
Participants
Participants banking banking
banking
6%
andcredit
credit
6%6% byIndustry*
Industry* and credit
and
Lifesciences
Life sciences
Life sciences by Industry*
by institutions,
institutions,
institutions,
as wellasas wellas
aswell as
insuranceinsurance
insurance
6%
6%6%
companies
companies
companies
Manufacturing
Manufacturing
Manufacturing
12%12%
12%
Retail
Retail Retail
12%12%
12%
Technology
Technology
Technology
hadannual
had total
had totalannual
total annual 24%24%
24%
revenues below fewer500
fewer fewer
than than500
than 500
revenues belowbelow
revenues
27%
employees
27%
27% $1billion
billion employees
employees
45%
$1 billion
$1
45%
45% 39%
had total
had total
had total 39%
39%
2014
annual 20142014 greater Number of
annualannual
revenues revenues Revenues
revenuesRevenues
Revenues
greater Number
greater
than
than than
of of
Number
Employees 18%18%
18% 1,000
1,000 1,000
to toto5,000
5,000 5,000
greater greater
greater 10,000 Employees
10,000
10,000 Employees employees
employees
employees
than $10 than$10
than $10 employees
employees
employees
billion
billionbillion
28%
28%
28% 9%
9%9%
revenues
hadannual
had total
had totalannual
total
revenues
between
revenues
annual
between
between
9% 500 to500
9%9% 500
999toto 999employees
employees
employees
999
$1billion
$1 billion
$1 billion
and and and
$5billion
billion 5,000
5,000 5,000
to toto10,000
10,000 10,000 employees
employees
employees
$5 billion
$5
As data grows in size and complexity, we help organizations better For more information:
govern, secure, find, analyze and rapidly make sense of information. ftitechsales@fticonsulting.com
www.ftitechnology.com
Innovative technology, expert services and tenacious problem-solving
North America: +1 (866) 454 3905
provide our global clients with defensible and repeatable solutions. Europe: +44 (0) 20 3727 1000
Organizations rely on us to root out fraud, maintain regulatory Australia: +61 (2) 9235 9300
compliance, reduce legal and IT costs, protect sensitive materials, Hong Kong: +852 3768 4500
Shanghai: +86 21 5108 8002
quickly find facts and harness organizational data to create business
Tokyo: +81 3 5369 3939
value. For more information, please visit www.ftitechnology.com.
© 2017 FTI Technology, LLC. FTI Technology is a business of FTI Consulting, Inc. FTI Consulting, Inc., including its subsidiaries and affiliates,
is a consulting firm and is not a certified public accounting firm or a law firm.
Identifying
& Protecting
the Corporate
Crown Jewels
By Jake Frazier, Senior Managing Director, FTI Technology
A
nyone who owns a Information Governance Reference Model (IGRM)
Linking duty + value to information asset = efficient, effective management
home understands
D GOVERNANC
UNIFIE
they need a way to
E
BUSINESS
C Y I NT EGRAT
PO L I
family’s “crown jewels,”
I ON
VALUE
PRIVACY &
2/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
Categorizing
Critical Information
Data cannot be simply locked up and Crown jewels can be divided into several
shut away. If that happens, it becomes categories and can exist in multiple
useless. Think about heirloom jewelry. locations and different formats:
It was meant to be worn, but if it is
kept inaccessibly in a safe deposit box Information that
at a bank downtown, it cannot be. may not be
Similarly, paintings may be extremely destroyed
valuable, but storing them in a fireproof
warehouse makes them less enjoyable. Some information may need to be
carefully maintained, not because it has
At the same time, it is critical to intrinsic value but due to legal holds,
determine what type of information regulatory requirements and other
requires protecting. For example, reasons.
much like flammable household
products, some information may not This type of information can exist in many
be considered crown jewels, but can places within organizations, such as a file
quickly cause tremendous damage share, on an employee’s mobile device or
in the wrong hands. Sony Pictures on a hard drive. It must be protected from
Entertainment learned this lesson inadvertent destruction.
when it was hacked last year and lost
control of the Social Security numbers Some of these files may be old or exist
of workers who had long since left in legacy formats. When moved to a
the company.1 secure location, this type of data needs
1
“Sony Pictures Reaches Settlement in Hacking Lawsuit,” Los Angeles Times, September 2, 2015. http://www.latimes.com/entertainment/
envelope/cotown/la-et-ct-sony-hack-studio-reaches-agreement-to-settle-with-plaintiffs-20150902-story.html
3/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
to be handled carefully, so that none of to outsiders than the company itself, and
the metadata is altered. If no one at the therefore must be protected carefully.
organization knows what data exists and
where it is, companies can easily find Information that can
themselves with “dark data pools.” This be risky or dangerous
can include decades-old paper files or to keep in any hands
microfiche that are in storage.
Some information can cause significant
reputational risk if it isn’t protected. Other
Items of information can be very costly, particularly if
actual value it becomes potentially responsive in litigation.
This was also a factor in the Sony hack.
Like real precious jewels, some corporate
information is truly valuable. This can Many organizations are confronting a
include customer lists, formulas, intellectual relatively new problem, as their store of
property, schematics, pricing templates emails begins to stretch out for years
and other types of information that provide and even decades. This can include
competitive and strategic advantage. As emails sent and received by people who
in the Sony case, it can also include master left the organization a long time ago.
copies of intellectual property (e.g. films not If these old emails contain keywords
yet released). that have been identified as part of an
e-discovery collection, those emails will
end up in the document populations
Information that can that must be reviewed. No one who is
be risky or dangerous currently employed by the company may
in the wrong hands be familiar with the people or issues that
have triggered the review. The document
Some information must be kept private, reviewers may not be able to determine
regardless of its actual value. Employee if the emails are responsive, so they may
records are a good example of this, as need to produce them. Then the legal
are documents developed for regulators team has to answer questions about the
and documents that carry attorney-client emails. This can be enormously time-
privilege, or the Social Security numbers consuming and costly. It may also require
of the prior Sony employees. These companies to turn over meaningful
2
documents are likely much more valuable documents to adversaries.
2
“The Best Way to Use Data to Cut Costs? Delete It” CIO Insight, August 17, 2015.
http://www.cioinsight.com/it-strategy/big-data/slideshows/the-best-way-to-use-data-to-cut-costs-delete-it.html
4/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
By hanging on to information that is of The same tools that help organizations
no use, companies may also misallocate identify their crown jewels can also help find
information that is very valuable. It’s like documents that no longer have any value
buying an expensive sports car, and not and should be deleted. Valuable information
being able to park it in the garage because of should be stored under lock and key, while the
old furniture stored there. junk should be tossed out.
Valuable information
should be stored
under lock and key,
while the junk should
be tossed out.
5/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
Identifying
the Crown Jewels
Deciding what qualifies as a crown jewel or of groups that can overlap: information
one of the other important data types can subject to legal holds; records that must be
be challenging, even after defining what all retained to satisfy regulatory requirements;
the types are. For purposes of simplicity, in and data that contains business value.
this paper we will group all of the various Crown jewels can reside in any of these
types of important three circles. The rest
data under the crown is information that can
jewels moniker. When Information be deleted according
subject to legal
grouping data it is holds to the schedule
tempting to rely on the of the company’s
information technology records management
department, but Records program.
retained Data that
this is often not the to satisfy contains
regulatory business
best group to make requirements value Generally, three
this determination. different groups
(They will protect within companies
the information, but someone else needs should identify the information: the legal
to define what is important and worth department, the records management
protecting.) group and the businesspeople. But it’s
not necessary to form another committee
When figuring out who should identify and bring representatives from each group
the information that needs protecting, together to review every potential piece of
it can help to think of a Venn diagram. data. Instead, each group should be given
Crown jewels can be found in three types access to the underlying database where
6/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
the records are kept, with each group you may have all your jewelry in a single
having its own interface into the data. drawer at home, your customer lists may
For example, the legal group’s interface all be in the same electronic file on a
can help it manage drive shared by
legal holds the marketing
while records department.
management’s Each group should be given
interface assists it access to the underlying From a strategic
in tracking what value point
information must
database where the records of view, the
be retained for are kept, with each group businesspeople
which length of
having its own interface into should decide
time as part of how long
the company’s the data. information should
document be retained,
retention policies. based on the last
date it was accessed. In other words, if
One thing to keep in mind: important people are looking at the information, it
information is often kept together. Just as has value and should be retained.
7/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
0
10
90
80
20
70
30
40
Keeping
60
50
Information Safe
Once legal, records management and the who hoard valuable data and never release
businesspeople have determined what it into the company’s systems. Without a
and where their crown jewels are, it’s central repository to store the crown jewels,
time to develop the processes to keep important information may exist that no one
that data safe. In parallel with tracking has visibility into or can find.
which employees are placing information
in the central repository, it’s important to
begin training.
When considering the
When creating the repository for the crown process for securing
jewels, organizations may be tempted to critical information,
think of it similar to a home security system.
Companies generally focus on designing
organizations should
systems to keep out external threats. look for tools that
However, homes are at a much higher risk
protect against threats
from internal threats, such as housekeepers
and other employees. When considering like hackers, but they
the process for securing critical information, also need to figure out
organizations should look for tools that
protect against threats like hackers, but they
how to safeguard data
also need to figure out how to safeguard from those inside the
data from those inside the organization. organization.
These internal threats often come from
those who aren’t deliberately malicious, but
8/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
And such a repository must be much more From a change management standpoint,
sophisticated than a simple file share, which companies probably should not attempt
any one can access and copy or delete all of this at once, as employees will
files anytime. Rather, the central repository become overwhelmed, systems may fail
should have more granular security such as and momentum will be lost. The first step
authentication labels, different access tiers should be to report on which information
and permissions in order to better control is worth keeping, and then identify where
access. It also requires more sophisticated the information resides. Before deleting the
storage and back up protocols than a data, it should be moved to a secret place
standard file share. as a fallback, in case there are issues when
the new system is being instituted.
Creating an audit and reporting trail is
extremely important. When someone Once procedures are in place, the company
identifies information as a crown jewel, it should regularly review and tweak them
should automatically trigger a set of steps when necessary. More efficient processes
to identify and preserve that information. may be identified, new regulations regularly
Companies should also institute and maintain emerge and legal holds could close,
a hierarchy of important data, since not all allowing data to be deleted. However,
valuable information is equally valuable. For the technology itself should be extremely
example, information that falls under a legal flexible, with no limits to data that can be
hold should have the highest priority. classified as crown jewels.
9/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
Creating Repeatable
Processes Across Locations
All of this is challenging enough when knows when to skip files and when to
companies only have one office or review them. Indexing technology looks
location. With multiple locations, the for additions, deletions and changes to
process becomes much more complicated. files, and reindexes them every day. This
The terabytes and petabytes of data that enables a continuous process and keeps
companies today produce make it even rules static until needed. That results in a
harder to develop processes that are much smaller expense.
consistent and repeatable.
10/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
Locking
the Safe
Once information is identified and company jewels. If companies aren’t
located, it is critical to secure it in the doing this already, they need to start
correct repository and otherwise continue before their most valuable possession are
to protect it. This includes ensuring stolen or lost. And if they need help, they
repositories are built on WORM (write must find it.
once, read many) storage, properly
migrating data from legacy archives to
cloud applications, having—and adhering
to—a policy for archiving emerging
data types, keeping messaging policies
The fact that companies
updated and developing a cloud strategy. may not have the technical
The fact that companies may not have the
or policy expertise
technical or policy expertise to properly
and cost-effectively manage all of these to properly and cost-
steps does not make them less important effectively manage all of
and there are third parties that can easily
these steps does not make
step in to help meet those challenges.
them less important.
This is where the rubber meets the road
and companies can see tangible results.
It’s also one of the ways that information
governance can be used to reduce cost
and risk in real-world environments,
by identifying and safeguarding the
11/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
About the Author
Jake Frazier
12/12 Identifying & Protecting the Corporate Crown Jewels © 2015 FTI Consulting Technology, LLC
July 2015
Jake Frazier
Senior Managing Director
Technology
Information Governance & Compliance
FTI Consulting
July 2015
T
he price of disks has been country and even sometimes from state on all businesses — a hidden tax that
dropping for years. According to state. The cloud storage providers’ is ever increasing. However, this is a tax
to Gartner, the cost of business model typically assumes they that businesses can do something about.
disk storage per terabyte can move data freely from jurisdiction to They can delete a significant percentage
has been falling, too. jurisdiction — optimizing server capacity of their expensive-to-store data.
Additionally, distributed computing, and availability and, thereby, controlling
virtual machines and on-demand storage their own costs. Adding jurisdiction- Unfortunately, while everybody is storing
capacity that can be ramped up or specific requirements to a hosting more data, very few are deleting any. Call
down according to a business’ needs all contract often can increase the cost it data hoarding.
have combined to lower the total cost significantly.
of ownership (“TCO”) for storage. This
has led many business executives to In practice, with the rapid acceleration of Data Hoarding:
believe that the TCO for data storage will
continue to decline ad infinitum, allowing
the volume of data generated (all those
exabytes produced by the proliferation of
Sense and Nonsense
them to collect all the data they would sensors, tablets and smartphones) and Not all data that businesses collect
like to use to improve performance and the concomitant increase in the data that are useful. Indeed, as the enterprise’s
drive top-line revenues. businesses are storing, the total cost of haystack of data climbs ever higher,
data storage is not (despite conventional businesses often do not know what data
All this would be true if not for several wisdom) declining. How could it? they possess. Much of the information
inconvenient truths. Walmart, for example, handles more may be — and frequently is — junk, and
than a million customer transactions data analysts waste time working with
Market research firm IDC estimates that each hour and imports those this junk, finding spurious patterns within
the amount of all digital data created and transactions into a database estimated it, thus hindering the company’s decision-
consumed in 2012 was 2,837 exabytes. to contain more than 2.5 petabytes of making capabilities while incurring
(One exabyte equals a million terabytes.) data. needless costs.
And that number is forecast to double
every two years, reaching 40,000 exabytes Do the math. Why do businesses collect and store
by 2020. more data than they are able to process
If a hypothetical company stores one and use? One reason is Big Data hype
Meanwhile, ICT Analytics reports that petabyte of data this year, it will store 1.45 and the vague belief that more is better
the amount of data being stored is petabytes next year. — that somewhere in that ever-growing
increasing, on average, 45 percent haystack is a golden needle that will
annually. In fact, storage is the fastest If the cost to store data drops 15 percent produce new insight and generate
growing cost within the enterprise data a year (or even 30 percent at the high additional revenues. This, however, is not
center. end) while volume grows 40 percent, it’s a business strategy; it is a business wish.
easy to see that the conventional wisdom
But, one asks, what about the cloud? that the total cost of storage is declining Another reason businesses store
Doesn’t cloud computing permit is wrong. And this simple calculation data is fear of the possible legal
businesses to outsource storage to does not include ancillary storage costs consequences that may arise from
providers at a fraction of the cost of a such as staffing; data backup; and deleting information. U.S. Securities
proprietary data center? confirmation that the data collected are and Exchange Commission regulations,
accurate, useful and clean. for instance, demand that brokers
Yes it does for some types of data. But and dealers retain all client account
it gets complicated for critical data. This growth in storage and its information for six years and copies
Data privacy laws vary by industry, by management is placing a growing burden of all reports requested or required by
2
July 2015
regulators for three years. Regulations of data to lose. Recent high-profile they levy on a company’s resources —
such as these encourage data hoarding, data breaches at various retail and are not an information technology (“IT”)
as many businesses believe that in the entertainment companies have made problem; they are a business problem.
current rigorous regulatory environment, public enormous troves of data.
it is safer to keep everything and delete To attack the junk data issue, businesses
nothing. There is, in effect, no obvious Breaches are expensive. According to must take a holistic view of the challenge,
incentive to delete, and underpreserving a recent Ponemon Institute study, the working across functions. That includes
creates risk if data later are deemed average total cost to an organization of a the chief information officer and the
critical or discoverable. Recognizing this data breach in 2014 was $5.85 million. chief financial officer, as well as the
growing problem, and the potentially company’s Legal, Compliance and
unreasonable persistence of data, That’s real money. Security departments. Working together,
some European states have proactive the company can determine what data
deletion policies, especially in cases And today, even smaller companies it needs to store and what data it can
such as employee performance reviews are collecting — and storing — an ever delete. The return on investment (“ROI”)
and disciplinary actions. According to higher volume of data as smartphones of deletion will become visible to the
the European Union Advisory Board make data more available to businesses. business as it begins to understand the
on Data Protection and Privacy, “The Almost all retail sectors are seeing extent of the resources needed to secure
annual assessment of a worker contains enormous growth in smartphone that data.
information regarding a concrete date purchase conversion. According to
and a given contact. After some years, Cisco’s Visual Networking Index forecast, This is known as information governance.
there is no reason in principle to store the global information processing traffic Good information governance requires
information regarding such evaluations. will grow at a compound annual growth creating a map of information assets
Therefore, the retention period should be rate of 20+ percent from 2013 to 2018, across the business units, including cloud
limited to two or three years maximum with over half of that coming from applications. This is the first step toward
after the evaluation.” non-personal computer devices. All this accurately classifying and categorizing
collected data attract hackers and other data and allows a comprehensive
In litigation, U.S. courts instruct juries criminals, as personal credit information assessment of which assets should be
to place a negative inference on the (which either can be used or sold) retained and which can be deleted.
absence of relevant data such as emails, becomes more available and accessible.
thereby encouraging businesses to store Developing defensible statistical
everything in the event there ever is a Businesses can attempt to secure their sampling protocols can help businesses
request to produce information in the data — as they should — but recent reduce large amounts of stored media.
discovery phase of a lawsuit or trial. history indicates there’s no guarantee Indexing and machine analysis of backup
However, that court mandate applies they can do so successfully. The simplest media can pinpoint what data should be
only if there was a duty to preserve the solution to the risk and expense of preserved and what can be deleted.
data in the first place. Unfortunately, that collecting and storing too much data is
duty rarely is defined before a case is deleting the data not needed. Trying to delete large quantities of data
brought, and overpreserving, and failing manually is difficult and expensive; it is a
to remediate backup materials, results in
additional costs when there is a request Getting Rid of
to produce, as attorneys or e-discovery
providers must spend time reviewing a
Junk Data Requires
greater quantity of material. Information
The hours add up. Governance
A 2012 RAND study found the cost Storing data that businesses don’t
to review one gigabyte of data was have to keep ends up absorbing capital
$18,000. Of course, improvements that otherwise could be deployed on
in e-discovery and predictive coding operations or investments or return on
technologies can reduce those costs, but, capital. If a business chooses to reduce
again, as volume increases, those savings spending by cutting budget or laying
can be devoured. off workers, in effect, it has (perhaps
unknowingly) chosen data — much
Volume is key and creates its own risks. of which may be junk — over working
For one thing, if more data are stored, capital and productive employees. It,
there, obviously, is a greater amount therefore, is important to understand
that junk data — and the attendant tax
3
July 2015
process that begs to be automated. This In another instance, a top-tier financial and these factors often discourage
means establishing machine rules that institution was able to get rid of useless deletion. It necessitates someone with
mandate the deletion of unnecessary and log files (records of requests to servers appropriate perspective and seniority to
vulnerable duplicates. These are created saved to hard drives, including those see across the business’ fiefdoms and
when multiple copies of documents or created during system installations) that work with Legal, Compliance, Security, IT
files are downloaded to often-insecure were stored in the depths of its IT system and the business units to implement an
devices or when individuals email files to and provided no value whatsoever. information governance plan and begin
themselves. It has been estimated that Working with FTI Consulting, the bank deleting junk data. This is why, in the long
in a number of companies, duplicated was able to delete hundreds of useless run, information governance efforts have
files represent 20 percent to 40 percent terabytes of data. At a cost to store of to be led from the top.
of the data. Reducing duplication is $3.20 a terabyte, the company saved over
a good thing. It improves operational
efficiency, as duplicate data drive up data
$600,000 in the first year and more than
$3 million over five years. No End to the
volume while slowing processing times
and hampering business agility. Deleting Another financial institution was sending
Data Deluge
duplicate data also decreases legal thousands of backup tapes every As smartphone adoption and use
review costs as attorneys no longer have month to an information management increase, the digital universe will continue
to examine repetitious documents. Good services company. Although the cost of to grow. Right now, digital’s size beggars
information governance is an investment storing tapes isn’t large, the software the imagination. In a few years, it will
with an immediate and long-term ROI. that makes the tapes must be licensed defy it. Unless businesses begin deleting
from a software provider — a recurring data they don’t have to have access to
For example, in 2014, multinational and perpetual expense. Reducing the at the moment, they will jeopardize the
metals and mining company Rio Tinto, number of tapes and licenses translated technological, financial and operational
which was generating a rapidly growing to impressive savings for the firm. resources available to collect, process
volume of data, identified approximately and analyze the torrent of incoming
40 percent of its stored data as junk
or, in the words of its head of global Of Course, No One data they will need later on. This may
place them at a future competitive
business services, “eligible for defensible
destruction.”
Said It Would be Easy disadvantage while increasing the
financial and legal risks currently being
In many businesses, data storage is faced.
Acknowledging that Rio Tinto, like most considered an IT issue, and if IT tells
large companies, is not good at “hitting a business unit leader that it wants to Deleting data is not really about saving
the delete key,” the executive said the delete the unit’s data, there’s generally money; it is about not wasting money
company saw “a strong ongoing business pushback. After all, the data belong to the and spending it, instead, on initiatives
case” for lowering storage costs “while business unit, not to IT, and maybe, just and innovations that drive revenues.
strengthening our overall information maybe, the information is valuable.
governance across Rio Tinto.” Deleting data, and the information
Even when an enterprise recognizes that governance processes that enable
It has been estimated that Rio Tinto it has a data retention problem, business- enterprises to do so safely and securely,
immediately saved $8 million simply by level views do not always align. The issue is just good — and logical — business.
eliminating 35 percent of the file shares in is that each business function considers
its network. data differently. Various functions have
unique needs, requirements and targets,
Jake Frazier
Senior Managing Director
Technology
Information Governance & Compliance
FTI Consulting
jake.frazier@fticonsulting.com
The views expressed in this article are those of the author and not necessarily © 2015 FTI Consulting, Inc. All rights reserved.
those of FTI Consulting, Inc. or its other professionals. 4
Technology Segment Information Governance Toolkit
www.ftitechnology.com North America +1 (866) 454 3905 Australia +61 (2) 9235 9300
ftitechsales@fticonsulting.com Europe +44 (0) 3727 1000
Hong Kong +852 3768 4584
areas such as investigations, litigation, mergers and acquisitions, regulatory issues, reputation management and restructuring.
www.fticonsulting.com