Archive | Information Governance RSS feed for this section

Tweet Me This Batman

By on May 7, 2013 in Blog, Information Governance, Social Networking

For now this is the last in a series of thoughts regarding the reining in of social networking applications. ‘Opening a Pandora’s Box – Collaboration, Social, and Litigation’ can be accessed here, and ‘Can the Caged Bird Sing’ can be accessed here. In yet another article, ‘Pitfalls of Social Networking at Work’, the author outlines both employee and management guidelines on the management and recommended ‘rules’ for social networking. The issue, of course, is the merging of personal and business, and the premise is that ‘personal’ does indeed impact the ‘business’.

A few years ago there was an uproar regarding potential employers asking for log-in information from potential candidates’ personal sites and accounts. I always felt that was a clear invasion of privacy. Although the author agreed with me, on the other hand the author does quote a source that states you could not separate one’s personal views from one’s employers’ views in the social media space. “Social media must be properly managed with a written social media policy that sets boundaries on what can be said or not said by the employee on social media space and the consequences of that action must be specific.”

How does an organization manage this with potentially thousands of employees? Do they have a right to tell employees what they can and cannot say on personal sites? Do organizations just wait to see if an ill-stated or harmful comment is made and then try to mitigate the problem?

Comments { 0 }

Bribery, Corruption, & Espionage – just another daily responsibility

By on May 2, 2013 in Blog, Data Security, Enterprise Metadata Management, Information Governance

If you are moving into the global economy, or have multinational operations chances are you are beginning to address bribery, corruption, and espionage or have been for a while. Interesting topic. As an example, under the Foreign Corrupt Practices Act, compliance rules are aimed at preventing bribery of foreign government officials in an effort to obtain or retain business. This is quite complicated, as multinationals often deal with hundreds of third parties and ensuring compliance is enough to pull your hair out. Audit rights, anti-bribery, and corruption clauses are now being used in contracts that clearly spell out the rules for third parties. All very well and good, the challenge is actually conducting an audit on third parties where business books and records are not always in the traditional form.

Wrapped up in all of this is the protection of trade secrets. For example, the Chinese are becoming well known for hacking of confidential data across organizations in multiple industries. Although the Economic Espionage Act was expanded in 2012 in an effort to protect trade secrets for US companies, it is the companies themselves that are the front line of defense. Security protocols and procedures may need to be addressed in real-time, and quickly.

Organizations need to determine exactly what data they have, where it is stored, and whether they need to keep it and assign the appropriate security. Finally, we now retreat back to the end users. A culture that educates and communicates the importance of compliance has to be implemented so all staff realize the importance of compliance.

Do you have GRC initiatives that address these potential issues? How have you handled?

Comments are closed

Poor Data Quality – Do you measure it?

By on May 2, 2013 in Blog, Enterprise Metadata Management, Information Governance

Data quality, including unstructured, can be a source of pain in the pocketbook for companies. But do companies evaluate this as a bottom line cost? I don’t think so. We jump through hoops showing the value of our software and the impact on the bottom line (which is fine) but turning the coin do companies actually look at the cost of wrong, erroneous, irrelevant information that result in bad decisions?

In a recent blog, When Poor Data Quality Lands on the Ledger, the author references a recent Mental Floss article, “10 Very Costly Typos,” including the 1962 $80 million dollar missing hyphen in the programming code that led to the destruction of the Mariner 1 spacecraft, the 2007 Roswell, New Mexico car dealership promotion where instead of 1 out of 50,000 scratch lottery tickets revealing a $1,000 cash grand prize, all of the tickets were printed as grand-prize winners, which would have been a $50 million payout, but $250,000 in Walmart gift certificates were given out instead, and, more recently, the March 2013 typographical error in the price of pay-per-ride cards on 160,000 maps and posters that cost New York City’s Transportation Authority approximately $500,000.

Perhaps humorous, I can assure you they did not put smiles on the faces of the organizations. And they all have to do with plain and simple proofing. However, organizations continue to waste time searching for information they can’t find, re-creating the information they couldn’t find, and then using the bad information to make decisions. Does that impact the bottom line? Can that approach be costly? You bet.

Does your organization spend time quantifying the cost of poor data – whether structured or unstructured? If so, how?

Comments are closed

Be careful who you sue – your Facebook page can and will be held against you.

By on May 2, 2013 in Blog, Data Security, Enterprise Metadata Management, Information Governance

I have talked about unknown privacy exposures lurking in companies regardless of size. I am often surprised that potential damaging, confidential, and privacy exposure related content is not more actively protected. The cost of eDiscovery and litigation continues to soar. Even when unavoidable, the time and human resources needed to find all relevant information increases the risk associated with the desired outcome. In a recent conversation, a company incurred process failures which required going through terabytes of information to document what went wrong and address compliance and federal regulations. So it’s not just litigation.

Although personal lawsuits, in two recent cases, social media site (Facebook) was used to counter the plaintiffs’ claims of inability to perform previous activities. In the first instance, the plaintiff had fallen down a parking garage stairwell and claimed she sustained permanent injury and was in constant pain, yet her Facebook page showed her as a bridesmaid, vacation pictures, off-roading, and drinking a large cocktail at a restaurant (maybe that was due to the pain?). The second instance was a woman who claimed that an auto accident prevented her from playing sports and the pain was worse in cold weather. Her Facebook page showed pictures of her skiing, which were taken after the accident. In both cases, the court accepted the Facebook pages to determine the outcome of the lawsuits.

Back to business. Emails are continuing to rise as a culprit in costing global companies considerable amounts of money. The same scenario and issues also apply to enterprise collaboration/social networking applications. With courts now accepting all different forms of content as admissible for corporate litigation including tweets, blog postings, comments, organizations are going to have to take a more pro-active role in identifying and securing information they don’t particularly want shared with the world. If it came from your company it can and will be held against you.

Although our technologies address this problem, it is still a large project to tackle as each business group may have ‘confidential’ information they want protected. On the other hand, ‘malicious insiders’ account for 38% of data exposures so the organization is once again at the mercy of end users.

How does your company handle, if at all? If not, why?

Comments are closed

We have been victimized by a hacktivist 416 days ago!

By on April 16, 2013 in Blog, Data Security, Information Governance, SharePoint 2013

The US Congress is dangling its toes in the water towards requiring companies to admit they have been hacked. The proposal regarding data breaches is a component of a larger draft bill being circulated in the House Judiciary Committee. In addition to raising the maximum penalty on cyber crime, it is suggesting that a business must disclose a security breach within 14 days from when it was discovered. In the case of a “major” breach, that window shrinks to a mere 72 hours, and involves the FBI or the Secret Service.

HP just released a report, HP 2012 Cyber Risk Report which stated that it takes 416 Days to detect a breach. Hmmm…somewhere the math doesn’t quite make sense. If 416 days is typical to identify a data breach, I guess reporting it within 14 days after the realization is not so bad.

Cyber crime, data breaches, and just plain old hacktivists are on the rise. The basic problem is there is no single law addressing data breach notification. For many industries they are regulated differently depending on the state they do business in. A similar situation exists in Europe, where E.U. officials have introduced their own draft regulation on data breaches, saying the mostly voluntary system it has now is “too fragmented” and leaves the region more vulnerable. Opponents have argued the proposal is burdensome because of its requirement that notifications take place within 24 hours of a data breach. If the European plan gets approved, it could boost the chances that the US Congress will pass something like it, although this isn’t the first time Washington has tried dealing with data-breach notifications and has done nothing.

I do get concerned that my data has been breached. It has happened to me several times now and I wasn’t notified for several months which I think is totally unacceptable. But on the other side of the coin, the state of Massachusetts has just ruled that zip codes are Personally Identifiable Information (PII).  The whole topic doesn’t appear to be as straightforward as one might think.

I do have a problem that a company doesn’t know that a data breach occurred in 416 days? Really?

Where do you stand?

Comments { 0 }

Get in the Fast Lane Grandma the Bingo Game is ready to Roll!

By on April 16, 2013 in Blog, Data Security, Information Governance

I just read a snippet of marketing for a new report from Forrester entitled, ‘Building Data Stewardship Is A New Customer Intelligence Imperative’ (fee required unless you are a Forrester client). It’s a subject that is near and dear to our hearts. Forrester recommends a data steward. The data steward’s raison d’étre is to keep track of data collection, governance, and privacy, which would include global imperatives (obviously if the company is global). I perceive that as not only a tremendous task but also high risk position, especially with the potential of failure.

The first hurdle is related to the tracking and implementation of governance, compliance, and privacy laws. According to the report there were ‘more than 150 pieces of privacy legislation pending in the US Congress as well as more than 90 other policies from international governing bodies’. Even if you do business only in your country there are still compliance and mandates that fall under different jurisdictions such as state, county, etc. I see this as the first hurdle to keep up with changes (all changes) and start them through the implementation process.

The second hurdle is the actual implementation of the compliance mandates throughout the organization, and potentially in a short time frame. I’m not sure how flexible and agile organizations are to incorporate these changes. I know in the US you typically have a window of time to implement but for the organization, implementation can touch many different functional areas including legal, finance, etc. all the way down to the end user.

Taking on the role of a data steward sure doesn’t seem like a stress free job. Not that all our jobs are stress free, but this one seems particularly so. I am curious if your organization has a data steward? What is their role? If you know, what is their background. Or am I all wet and it’s as easy as matching the numbers in a bingo game?

Comments { 0 }

Migration – You Mean You Are Migrating 69% of Useless Information?

By on April 12, 2013 in Blog, Enterprise Metadata Management, Information Governance, SharePoint 2013

According to a survey by the 2012 Compliance, Governance and Oversight Counsel (CGOC) Summit, 69% of corporate information that is saved can and should be deleted. That’s a pretty hefty percentage. According to IDC, 80% of enterprise information is unstructured. Let’s assume that these figures are correct. For the sake of discussion what do you do when faced with a migration? Move it all? Why? Because it’s easier and you can ‘worry about it later’? Or tell your end users to clean up their messes and trust them to do it (and correctly).

What are the problems? Migration of unstructured content can be a laborious and time consuming project. The challenge is that documents can exist in multiple places at the same time, different revisions of the same document exist, some documents should be deleted, and others should be archived. There may be records that were never declared, as well as confidential or privacy information that will not be identified when migrated. The ability to mass move content is relatively straight forward. However, from an information governance approach, mass moving content results in the same problem of mismanaged content.

To migrate document collections effectively the text content of each document needs to be searched to determine its value. This cannot be done manually, as the volume is too high, and the consistency of human review and decision making is unreliable as well as costly. If manually processed the security rights of the documents as they are moved to their new location must be applied. General migration tools cannot safeguard document confidentiality because they do not make intelligent taxonomy workflow decisions based on the text content of the document, or do it in mass.

We recommend the auto-generation of semantic metadata and a taxonomy before migration to cleanse and identify content to determine if it should be moved, if it should be archived, if it contains sensitive/privacy data, and to identify any records that need to be kept but were never declared records, or just plain delete because of redundancy and versioning.

But what about you? Since at times I have tunnel vision, how do you address these types of migration issues with unstructured content? How do you resolve and what is your approach?

Comments { 0 }

Cloud Services – You own it – you protect it!

By on April 10, 2013 in Blog, Cloud, Data Security, Information Governance

Data privacy exposures happen all the time. Most go unreported. Data, either stored in the cloud or within your four walls is your responsibility. Most cloud vendors and cloud application vendors will provide some level of protecting your data, but for the most part you are on your own. Without adequate information on the security and compliance profile of the data, including its ownership, access controls, audits and classification, cloud initiatives can fall short of expectations and put sensitive data at risk. Understanding the data owners, the authorized users, and user activity is critical to garnering organizational input, which in turn, is critical to defining the security and compliance profile of the data for internal datacenter and for the cloud.

The other issue surrounds privacy/protection laws in different countries. Issues can arise such as privacy/protection laws among government, regional, and even local authorities. In some countries there are strict restrictions on whether information can be stored outside of the country. Privacy laws can differ widely depending on the country. If you have employees crossing geographical boundaries what must be done in each scenario to remain compliant with potentially widely different restrictions?

Jurisdiction matters immensely on where the data is stored, as different laws may be applicable across multiple jurisdictions. From a legal point of view, location matters. For example, if data is being stored off-shore the laws may not have any effect. Cloud vendors can store your information on a variety of servers across the world. For example, the Patriot Act in the US allows the government to subpoena all data stored within the country, the EU Data Protection Directive does not allow personal information to be transferred to any outside country, the Massachusetts Breach Law, US, specifies that citizens’ private information must be protected and has specified strict guidelines around storage, access, and transmission of personal information. A cloud environment by nature has no boundaries requiring careful thought on who might be accessing the content.

Another issue is who is to notify people of compromised personal data, the service provider or the organization? Who pays those costs? If an internal end user posts data that can be compromised, again who is responsible? It would appear that in all cases you are.

Comments { 0 }

Information Governance – Nice idea but we really don’t care.

By on April 8, 2013 in Blog, Data Security, Information Governance

As a vendor we push the importance of information governance, not that we sell information governance just provide technologies that help. So information governance is something we believe all companies should be taking the time to thoughtfully plan, deploy, and manage.

The link between information governance, E-Discovery, and litigation support are closely intertwined. We have a very large client who was burned to the tune of billions (and billions) of dollars for not having an effective information governance plan (or even a plan at all). A pretty hefty price to pay.

In a recent research report by 451 Research, ” E-Discovery and E-Disclosure 2013: The Ongoing Journey to Proactive Information Governance” the results indicated that only 32% of senior management felt that information governance was important. It appears we are not all on the same page here.

For the sake of conversation because I am obviously on the wrong track here, is information governance important to your organization? If so, how did you deploy, is it working? Do you feel that the enterprise is better able to face litigation, E-Discovery, and compliance issues? Or are you like the other 68% that really doesn’t care?

Comments { 0 }

Concept Searching Survey Finds Intelligent Migration a Key Priority for 2013

By on March 22, 2013 in Blog, Enterprise Metadata Management, Information Governance, SharePoint, SharePoint 2013

Concept Searching conducted a survey in the fourth quarter of 2012 to identify key executive priorities for 2013, specifically around the use of applications that require metadata. The survey included Concept Searching clients as well as the broader marketplace. Although improving search was the number one priority across the board, surprisingly, migration was also high on the respondents’ replies.

Responses from the Concept Searching client base revealed that 33 percent have used the technologies for migration, with 53 percent of the broader marketplace looking for a solution that can intelligently address the migration process. The migration process now requires more sophisticated techniques to ensure compliance objectives are met. Simply moving documents from one repository is not enough, as content that was typically unmanaged will remain unmanaged, continuing to expose an organization to risk. Information cannot be managed from inception to deletion without comprehensive metadata associated with the content, and incorporating the multiple channels and origination points from which content was received.

To read the press release, click here.

Comments are closed