“The goal is to turn data into information, and information into insight.” – Carly Fiorina, former CEO, Hewlett-Packard Co.

The most valuable asset of every organization is information. Organizing, analyzing and optimizing this complex source of business intelligence can be daunting.  In addition, assuring the security of sensitive data for legal compliance and reputational purposes can at times seem an unattainable goal.  Increasingly companies look to comprehensive information governance (IG) programs to fulfill both competitive business strategies and legal obligations.

What is Information Governance?

Information governance is a framework that brings together all the requirements, standards and best practices that apply to data in order to understand and exploit diverse information resources. IG facilitates reliable and secure information delivery despite expanding global markets, on-demand user access and emerging technologies.  Consumers now expect information services anywhere and anytime.  Managing the challenges related to this demand, as well as the volume, variety and velocity of data, is the most complex issue facing companies today.

Good IG practices, based on legal compliance and business objectives, provide efficient and safe data flows both within and outside an organization. Understanding the types and location of sensitive data is the first step to an effective IG program.  Fundamental IG tools, including data maps and retention schedules, ensure appropriate technical safeguards and defensible information lifecycles.  Training and communication are essential to engaging employees, consumers, and third parties in all aspects of IG.

IG In Practice

Evolving privacy and security regulations, as well as the proliferation of outsourced data, mandate that companies apply internal IG standards to cloud providers and third parties suppliers. Corporations are now responsible for policing the information management practices of business partners and third parties or face the risk of litigation and substantial fines.  Take for example, United States v. InMobi Pte Ltd., where a mobile advertising company, InMobi, was fined by the Federal Trade Commission for tracking the locations of consumers. InMobi is a business-to-business provider and therefore never deals with mobile device users. Nevertheless, InMobi is subject to a $4 million civil penalty, which the FTC  suspended to $950,000 based on the company’s financial condition. The company is also required to delete all information it collected without consent and institute a privacy program that will be audited every two years until 2036. Organizations must seek assurances of third party accountability through strong contract language that addresses privacy, security and data standards or they remain vulnerable to additional risks.

The role of IG in privacy and security has never been more important due to the risk exposure related to data breaches. An increasingly important aspect of IG is the documentation and disclosure of how personal information is collected, processed, shared, tracked and stored.  Every breach involving personal data has the potential to fuel spectacular headlines and class action lawsuits. The devastating business consequences of a breach are verified by the fact that 51% of customers will take their business elsewhere once their information has been compromised.*

Despite the potential for lost revenue, litigation and loss of reputation, 61% of CEOs report they are not well prepared to deal with results of a breach.* This is due in part to the constantly evolving and progressively sophisticated threats to businesses. For instance, a new form of ransomware called Mamba was recently identified.  Instead of just encrypting data, this malware scrambles the entire the operating system including apps, shared files and personal data, essentially leaving your computer, and potentially your whole network, entirely useless. As consumers grow less tolerant of their personal data being exposed, senior executives must make data security a priority by implementing and constantly updating comprehensive IG programs to incorporate defensible breach response and prevention procedures.

IG At Every Level

IG ultimately requires the commitment of C-level stakeholders. All C-level executives should be prepared to handle a potential security crisis with the help of IT, legal, and PR teams. This preparation should be documented in an immediately executable data breach response plan.   The ability to take rapid countermeasures and openly and effectively communicate during a breach is key to effectively managing expectations of shareholders and customers. The probability of breach related litigation is reduced with effective response and crisis management procedures as part of an overall IG program. **

In summary, good IG can provide invaluable business intelligence and opportunities based good information insight, security and accessibility. In addition, defensible privacy and security practices are the best protection against reputation damaging data breaches and costly litigation.

*Identillect Technologies, CEO Responsibilities for Data Breach, Retrieved from https://identillect.com/file/downloadpublication?fileUrl=%2FContent%2FDocuments%2FPublications%2FCEO%20Responsibilities%20for%20Data%20Breach.pdf (October 10, 2016).

**Romanosky, S., Hoffman, D., Aquisti, A., Empirical Analysis of Data Breach Litigation, iConference (2013).