Full RSS Feed
Receive
the Free CMSWire Newsletter
Information governance — historically a bottom-up practice and now the responsibility of Governance, Risk and Compliance (GRC) managers — has been pushing its way into boardrooms around the world. Sarbanes-Oxley, HIPAA, The Basel II accords and similar regulations have triggered this trend.
The problem is that the concerned parties rarely speak the same technical language. Modern enterprise information management systems are helping to address the problem but there are still a few secrets to success. Here are some things to keep in mind during your initiatives.
The terms “corporate governance” and “information governance” no doubt sound similar. Many people focus only on the “governance” aspect of both, and assume that they are different names for the same discipline.
But for too long those who specialize in both fields have paid too little attention to each other — a disinterest that courts and regulators are now forcing to an end. Corporate governance — the role of boards and top management in overseeing, administering and monitoring a company, is very much of a “top-down” field. Information governance, which oversees the performance and risk management of information technology (IT) systems, would seem to be a very “bottom-up,” tactical item at the bottom of a board’s agenda. Yet IT and data management have been pushing their way up on that boardroom agenda for some time.
How Technology Became the Board’s Business
The first IT moves we saw in the boardroom came a decade ago, when the technology costs and potential dangers of Y2K problems became a boardroom concern. But the costs and legal liability for managing (or mismanaging) electronic data did not fade with the Millennium, and have in fact spiked higher over the past several years.
The federal Sarbanes-Oxley Act of 2002, particularly its Section 404, mandated a strong internal control environment, including the electronic data needed to prove it. The Health Insurance Portability and Accountability Act (HIPAA), which became effective in 2003, imposed tough data privacy and protection mechanisms for any businesses related to health care. The Basel II accords on banking in 2004 required robust data storage and retrieval capability. The Personal Data Privacy and Security Act, and its subsequent updates, set complex information security rules for government agencies and their private contractors.
Legal requirements on how companies must preserve and produce data also grew rapidly. In late 2006, new amendments to the Federal Rules of Civil Procedure (FRCP) regarding electronic discovery of evidence became effective. These codified, and in some ways simplified, electronic evidence discovery matters. But the new FRCP rules also forced companies to better organize their data management processes.
The High Cost of Information “Mis-Governance”
Corporations have learned the hard way that these requirements have teeth. In 2008, non-compliance with FRCP data discovery demands in litigation cost UBS Warburg $29 million, and Merck a whopping $253 million. But even playing by the new data governance rules can cost a company if the information is badly retained and organized. Recently, a Fortune 100 corporation, in seeking to acquire a competitor, learned a hard lesson on information governance when it scrambled to meet government antitrust disclosure demands. Over 150 workers spent 10 weeks reviewing material, including 1.5 million emails alone.
Organizations not directly involved in an investigation also suffer nowadays if they lack modern information governance processes. A small government agency had only peripheral involvement in the investigation of Freddie Mac. The general counsel of this small, under-funded office had signed off on an e-discovery request to search their email and files, assuming the cost would be minor. But the inaccessibility of the data required an army of attorneys and staff to perform a hands-on physical review — all billed by the hour. The “minor” cost came to $6 million, and this for a non-party to the litigation. By the way, this agency sought relief for this crippling cost, but was turned down by an appeals court. The court’s reasoning? The general counsel should have known what he was letting the agency in for when he approved an open-ended e-discovery process.
Continue reading this article:
Email It
