Information Governance and COVID-19: How to Continue the Work
Posted by Rational Enterprise | Fri, Jul 17, 2020 | Comments (0)
We recently caught up with Peter Sloan, Principal and Founder of the Information Governance Group, a highly specialized lawfirm focusing around the toughest challenges facing information management professionals, to assess the impacts of COVID-19 and how we can adapt our solutions as industry problems rapidly evolve.
TOM PREECE: With the pandemic and fallout so far, it seems some companies have been rudely awakened to the importance of proper records management, while others have deprioritized it in an attempt to cut costs. Have you seen more or less engagement from companies trying to update their records schedule and policies to keep up with the myriad regulations rolling out across the US?
PETER SLOAN: Frankly, it’s been a mix. I work across industries, and the reaction thus far has differed based on the pandemic’s impact on different industries. For example, utilities, financial institutions, and healthcare systems seem to be moving ahead unfazed on RIM and other IG projects, while large retailers and other industries suffering more financial stress seem to be on hold for now. I view this as temporary, for one thing the pandemic has not changed at all is the proliferation of data, and sooner or later, that data must be managed.
TOM: One of the regulations New York businesses have on their radar is the New York SHIELD act, which received a lot of press when it was first signed into law last summer. It went into full force this March with a few key changes, including expanded definitions of in-scope information and data breaches. It seems there was a lot less fanfare in March, perhaps because of COVID-19, even though it poses a greater burden on businesses than when originally drafted. One of the requirements is that companies must responsibly dispose of information in a timely matter after it is no longer needed. Do you feel that companies truly understand the complexity of this requirement and are operationally equipped to comply? Or do you think companies are focusing too much on the breach prevention and reporting requirements?
PETER: With the SHIELD Act, New York joins other states that are beginning to move from a “mandatory minimum” approach commonplace in U.S. retention requirements generally (thou shalt retain XYZ information for at least X years) to imposing a legal duty to dispose of personal data once its purpose for collection has been met. I expect this trend to continue, moving the United States somewhat closer to the EU approach regarding personal data. As Rational Enterprise well knows, this shift is a big deal, and it requires companies to have the tools, rules, and determination to change how they manage their data.
TOM: You spent over two decades in Big Law helping companies with records retention, data management, data security, and breach response. You made the decision in 2016 to break away and form the Information Governance Group, a more nimble consultancy, and in the past 4 years, you have seen impressive growth and success. With the current pandemic, it seems there are weekly headlines of Big Law firms cutting more staff, benefits, and salaries. While no business has been immune to the impacts of COVID-19, do you think you are in a better position now to innovate and adapt to the crisis than you would have been at a larger firm?
PETER: Back in 2000 I did indeed move away from a 15-year litigation practice to build what is now thought of as an IG law practice, focused on data retention and data security. When I left my former, large law firm in 2016, I wanted to form a boutique law firm without the overhead burden that drives how Big Law delivers legal services. Call it dumb luck, but this nimble and focused platform is well-suited for these times. And “partner” meetings are pretty brisk here!
TOM: What will be the long-term impact of COVID-19 on records management as a practice? In other words, if I asked you back in November 2019 what is the single greatest trend or force that will impact records management in the next few years?, what would your answer have been? Is it the same answer or different today?
PETER: I would not have foreseen last November either this specific pandemic or, more importantly, our inept response in the United States. That’s perhaps excusable because I’m not an expert on public health or effective pandemic response – but such folks exist, and for many years they have warned about pandemic risks. I’ve been thinking lately about what our pandemic response can teach us about how organizations govern their information:
- Understanding risk matters. It’s a fact of life that novel viruses can proliferate, and it’s a certainty that data proliferates. At any given moment the risks may seem remote, but the risks are there, and the repercussions of ignoring those risks can be devastating.
- Planning matters. It takes time to assess risks, develop a plan, and put in place the rules, tools, and resources to manage those risks. Similar to procrastinating until a virus becomes a pandemic, waiting until there’s a data breach, or a large-litigation preservation duty, or an enterprise data system failure, at best is hugely and unnecessarily expensive, and at worst it can be disastrous.
- Testing the plan matters. The 2018 Clade X pandemic tabletop exercise hosted by Johns Hopkins Center for Health Security in Washington D.C. yielded key learnings about the gaps in our pandemic preparedness, and the U.S. government’s 2019 Crimson Contagion simulation of an influenza epidemic revealed massive holes in our response capabilities. Organizations that test their information governance capabilities with audits, reviews, and table-top exercises will see how to improve their systems for retaining, securing, and compliantly disposing of data. Data is not static, and dynamic risks require a dynamic governance response, so reviewing, exercising, and improving the program is essential.
- Commitment matters. Though hindsight is 20/20, it seems clear that the U.S. actually unwound and defunded many elements of our pandemic preparedness that were in place before 2020. There were no doubt “competing priorities” in 2018 and 2019, but we are now paying a massive price for our lack of commitment to pandemic preparedness. Similarly, there are always competing priorities for organizations, and it is tempting to lose focus on controlling data, especially if all seems like smooth sailing in the moment. But like pandemic response, the point of managing information is to stay ahead of the curve, so that when data-related risks become today’s reality, the organization is prepared.
TOM: We are trying to help our clients change the narrative as much as possible from reacting to chaos to finding the opportunity. For your own clients, what is the most important piece of advice you offer to help them achieve their goals in this new environment?
PETER: Chaos is often simply the lack of foresight and preparation. Disruption may be an innovative business model for some, but that’s only if it is others and the marketplace that are being disrupted. The right move is to try to anticipate what could happen and then to plan and resource accordingly. Now is actually a great time to revisit information compliance, risk, and value, and to strengthen the organization’s approach to governing information.