Data governance a looming issue
Susan Bennett: A new industry group to explore growing information governance issues
Australia is lagging the US in its approach to information governance, placing enterprises and individuals at risk according to a nascent professional association.
Information Governance ANZ is gearing up for a formal launch in August in a bid to lift the profile of information governance and spur enterprises into action.
Loosely modelled on the US’ Information Governance Initiative, IGANZ describes information governance as “maximizing the value of the data held within an organisation and minimizing the risks of holding that information”.
Susan Bennett, co-founder and director of IGANZ, said that organisations were increasingly tempted to store every piece of information they generated, because of the continued reduction in computer storage costs, but she warned that this was a flawed strategy.
Not only were companies paying to store and manage excess information, if they were ever caught up in litigation or a regulatory investigation, they could be exposing themselves to enormous costs associated with the data discovery process.
At the same time there was a risk that sprawling data collections could be more difficult to protect from hackers.
Ms Bennett said that Australia was somewhat behind the US where: “The document production in litigation is a huge driver,” for better information governance. She said globally estimates of the size of the e-discovery market could be as high as $10 billion, with specialist e-discovery firms charging by the gigabyte of data searched (although the rise of predictive coding is helping rein in those costs).
She said that in Australia companies were often prompted to address their information governance issues only following a legal or regulatory action, or when considering a move to the cloud which necessitated a review of exactly what data was to be moved.
A survey by the IGI revealed that the US triggers for an information governance overhaul included; regulatory compliance or legal obligations (66 per cent); an external trigger such as a law suit or data breach (53 per cent); a desire to mitigate risks association with data that could have been defensibly deleted (43 per cent); to reduce the cost of data storage (41 per cent); or a technology transformation that might include moving data to the cloud (34 per cent).
“With the exponential rise in data … people are keeping everything. It’s a huge risk because you are keeping stuff that you don’t need to keep,” said Ms Bennett. She said that a smarter approach was to; “Only keep what you are legally obliged to keep plus what you need to run the business.
“If you are keeping every email everyone has sent that is a lot of information you don’t need to be keeping.”
Nick Klein, founder of digital forensics business Klein & Co, said that when investigating a data breach the two key questions were what sensitive information was stored and where it was located. Not every business could easily answer that he said.
“Securing your environment starts with knowing what your confidential information is and where it is. If you get those wrong it can be a bit of a house of cards,” said Mr Klein.
He acknowledged that it was not easy to get information governance and security right as there were many competing pressures on an enterprise, but he noted that without it companies might find themselves exposed.
He said that organisations naturally stored information identified as sensitive in an encrypted database, but without proper information governance it was possible for a copy of that database to also be stored on a developer’s computer to test a new system, and hence vulnerable to attack.
“The more disorganised the business about managing information the better it is for the hacker,” he said.
Mr Klein said that the only “silver bullet” in terms of protecting sensitive information came from “people with the right training, experience, support and funding. It’s not from products or consultants but good people with good operational control.”
Ms Bennett said that effective information governance required top-down commitment and an understanding by C-suite executives and the board of the risks associated with having no proper strategy in place.
Public sector organisations are required generally to have relatively clear information governance frameworks to comply with governing legislation. The National Archives describes an information governance framework as “the legal, regulatory and business context within which information assets are created, used and managed.”
It is a definition equally applicable and important to the private sector, especially given the pace of data generation.
Ms Bennett said that a well-structured information governance framework would determine what an organisation kept, and how it kept that data. By taking a more holistic view of corporate information sources, addressing issues such as privacy, security and governance it was less likely that a company would be exposed to data loss or leakage.
Co-founded by Ms Bennett and Marie Felsbourg, the intent of IGANZ is to; “provide a forum where professionals can collaborate to develop a community that promotes best practices and innovations of information governance activities and technologies that organisations employ to maximise the value of their information while minimising associated risks and costs.”
It has assembled a strong advisory board including Kate Carruthers, chief data officer for UNSW; Mathew Golab, head of legal technology at Gilbert + Tobin; Melanie Marks, executive manager of digital trust and privacy at the Commonwealth Bank; and Shaun Wilson, founder and non-executive director of QxBranch a quantum computing software and data analytics company.
Ernst & Young has agreed to launch the initiative next month, but Ms Bennett is still seeking sponsors for the association so that membership can remain free.