Information Governance and the Data Life Cycle

The eDiscovery Resource Center™ is Bloomberg BNA’s comprehensive research solution for litigators and in-house counsel who require authoritative guidance on the handling,...

By Tera Brostoff

Sept. 29 — Wherever your organization or firm is in its information governance life cycle, now is the time to figure out where you are trying to get to in terms of data and records management.

That message, delivered by George Socha, Founder of Socha Consulting LLC, summed up the key points of a panel at the ACEDS 6th Annual E-Discovery Conference & Exhibition Sept. 29.

The panelists explored the definition of information governance, the tactics for success in data management and the data ecosystem. The goal of the conversation was to provide a step-by-step guide to applied information governance.

“Information governance is about getting your information house in order,” Socha explained. “You need to figure out where your data and information is, how to get at it, what you are doing with it and what you should be doing with it.”

Defining Information Governance

Socha briefly discussed the “Electronic Discovery Reference Model,” a popular tool used by legal professionals and eDiscovery practitioners to clarify processes and expectations among project stakeholders. The EDRM has undergone several iterations over the last few years to better integrate information governance goals (14 DDEE 278, 6/5/14).

“We changed the wording in the left-most box of the EDRM to include information management about eight years ago,” Socha explained. “We debated between using information management or information governance, but at the timeinformation governance seemed too much like a marketing phrase.”

But time has gone on, Socha said, and the phrase” information governance” is now dominant. The EDRM changed the phrase to information governance last year.

Success in Information Governance

Implementing an actual information governance program requires more than simply downloading the EDRM and attempting to apply its concepts to an organization's information infrastructure, however. Fred Smalkin Jr., Assistant Solicitor withthe Baltimore City Law Department, explained that a lot of hard work is necessary.

“Culture is key, however,” Smalkin said. “Culture is incredibly hard to change and involves a lot of things that are off the books or are social pressures.”

Smalkin advised creating a formal team with key personnel who understand the goals and the methods for implementing information governance. Jeffrey Brandt, Editor for Law Technology Daily Digest, Pinhawk LLC, chimed in that building such a team requires a collaborative approach.

“Normally you want to laser focus when building a team,” Brandt said. “But in terms of information governance, you need a broad spectrum.”

The Data Life Cycle

Getting a good grasp on data management requires understanding your organization or firm's data ecosystem.

“You need to understand your data's life cycle,” J.R. Helmig, Founder of Leveraged Outcomes, said. “Who touches it when? Who has access to it? What are its vulnerabilities?”

The data ecosystem begins with the administrators, data stewards and infrastructure architects, whose goal is to collect the data. Then the data ecosystem expands to the analysts and individuals who are pulling that data from the core ecosystem and are handling it. Beyond the analysts are the consumers and clients, the devices and the data providers, and the server farms.

With so much information being handled and shared, Helmig offered advice on how to deal with ‘poor user hygiene.'

“In terms of the data ecosystem, you have to make assumptions that at some point there will be data breaches or leaks, and you have to role play to mitigate and build in policies to manage that,” Helmig said.

BYOD and Hiring

Helmig and Smalkin also discussed risks and expectations in terms of Bring-Your-Own-Device policies, which incorporate those devices in the outer layer of the ecosystem.

“As a lawyer you at the very least must set up expectations,” Smalkin said. “You need something in place, such as a disclaimer, that when employees bring their own devices or applications, those devices may be seized for their data.”

Brandt agreed, saying he is a big believer in user awareness.

“Make it simple and clear,” Smalkin said. “Tell people that when there's a data breach, the bad man is going to come and get your phone.”

That disclaimer should also be ongoing and continuously refreshed, the panelists agreed. Brandt explained that the disclaimer cannot just be a piece of paper signed at initial hire.

As for the individuals who are initially handling the data, Helmig advised the audience to really vet the people that are system administrators.

“Here is where you adopt some of the most stringent hirings,” Helmig said. “If you are willing to give someone with the keys to the kingdom, why not polygraph them? Why not personally interview them?”

Helmig also noted that those individuals who are willing to go through repeated investigation should be paid for what they are worth.

Moderator Jackie Flynn, Director of BDO Consulting, asked the panelists for concluding remarks.

“You need to know how things are working in reality versus how you think things are supposed to be working,” Brandt said.

Smalkin added that information should be thought of as an asset.