Bring your own device (BYOD) programs and increasingly common remote/hybrid workplaces have introduced more than just “IT” risks. Compliance risks associated with data and technology also need to be identified, measured and mitigated. Many companies are starting to implement information governance programs to address the management of information risks that span domains, such as records and information management, legal processes, information security, data privacy and data governance. Bringing together the collective knowledge and expertise of these varied stakeholders enables companies to stay nimble and rapidly respond to changes in the evolving technology and data landscape in which they operate.
The diverse challenges posed by personal devices and third-party messaging applications illustrate the benefits of an information governance program. Information governance stakeholders can bring various perspectives and insights to the table, including:
- Records and information management: distinguishing business records and communications that need to be retained (and for how long) from nonbusiness records that can be purged or deleted
- Legal/litigation: determining approaches and considerations for complying with obligations to preserve information for regulatory or legal matters
- Privacy: balancing company surveillance activities with evolving data privacy obligations
- Business: determining business needs and related emerging technologies to enable the company to remain competitive
- Information technology: identifying the technical capabilities of various platforms to support preservation, retention, deletion, and limitations or consideration for enabling different settings
- Information security: understanding the potential for data loss and misuse for different technologies
- Compliance: considering the relevant laws and regulations when implementing policies and how policies will be enforced
Steps to take Now, Next and Beyond
Ephemeral and third-party messaging apps pose unique challenges for companies, and traditional ways of identifying, managing and governing this technology may not be as effective due to the emerging nature of these risks, issues and the technology itself.
Now: Support proactive initiatives designed to drive compliance and reduce risk:
- Assess current employee use of personal devices and third-party applications to identify potential risk areas or compliance violations.
- Review, align and update policies and procedures (e.g., acceptable use, BYOD, records and information management, legal hold and preservation).
- Evaluate technology to support compliance (e.g., enhanced functionality or tools that enable capture, retention and archival capabilities).
- Train employees on information risks and new requirements and promote a culture of compliance.
- Consider enterprise licenses for key communication and collaboration platforms that offer elevated control and compliance functionality.
- Adapt a more agile mobile device management (MDM) program to address variable risks in employee populations.
Next: Prepare for reactive regulatory inquiries and investigations to enable timely and complete responses to regulators and courts:
- Develop legal hold processes and train employees and IT system owners to enable timely preservation.
- Leverage technology to issue, track, monitor and lift legal holds.
- Identify and define key data sources that have frequently been subject to legal hold and collection.
- Understand retention and disposition practices, including preservation and collection considerations.
- Define forensic collection standards, processes and technologies, including appropriate data transfer and chain of custody protocols.
- Evaluate forensic acquisition tools and techniques needed to collect information from nonstandard data sources.
Beyond: Establish an information governance program to manage information risks in an evolving business, technology and regulatory environment:
- Socialize the value of a holistic information governance program across the organization to support an enhanced understanding of information risk and the benefits to mitigate fines and reputational risks associated with regulatory enforcement or other public incidents.
- Establish a cross-functional governance structure and operating model.
- Harmonize policies, standards and procedures across information risk domains to drive consistency in terminology and requirements.
- Centralize information risk monitoring activities through standardized methodologies and reporting. structures.
Kymberli Shoemaker also contributed to this article.
