Information governance (IG) is nearly impossible to achieve, but is a goal worth pursuing to protect the privacy of sensitive data and ensure organizations can meet discovery requests, according to a panel at the LegalTech show in New York.
Chris Sitter, eDiscovery & Digital Forensics Senior manager, Juniper Networks: “It's the dream to chase, the ideal,” said Chris Sitter, eDiscovery & digital forensics senior manager at Juniper Networks. With current tech almost impossible to achieve.”
To create a legally defensible IG strategy, companies must understand where information resides as well as who has the data, how to get at it and how quickly legal can get at it during discovery.
Allan Hsu, director of eDiscovery/ligitation at Fannie Mae, warned against treating all data the same. “It creates unneeded complexity and will likely cause non-compliance among your employees,” he said, noting that it's important to create workable solutions for protecting information. He pointed to BYOD as an example where employees use personal devices to store and move corporate information. “You could put them in a container but it's not efficient,” he said, raising the specter of personal privacy issues. “Can you really collect someone's personal device. It's like going into their house and looking through their drawers.”
He urged organizations to bring all content stakeholders on board, including business units to inform an IG strategy and “know where potential leak points are.”
The panelists said working with IT is critical, but legal applying a stronger hand than it has done in the past. “IT is overhead, IT always trying to find ways to cut costs,” said Hsu.
The panelists admitted that legal departments often don't consult with IT before picking a third-party vendor. But that needs to change.
Third parties should be closely scrutinized to see what they're doing to secure their networks as well as the data that is being sent to them.
“Take ownership as much as possible,” said Hsu. “If a breach occurs it's your responsibility. Your company is in the headlines.”
He said that organizations should prepare themselves for incidents. “Create a solution that is easy and actually gives you some [measure] of security,” said Hsu. “Educate employees. Have a detailed playbook laid out. Establish proper chain of communications.”
While the IG ideal may not be reachable, Sitter said companies can develop a strategy to harness their information by identifying “a couple of critical subsets” and once strategies are developed for those “use it as template.”