May 27, 2020

The Need to Be “Information Lean” After COVID-19

Randolph A. Kahn

Many things will never be the same after the COVID-19 affliction. More and more employees will spend less and less time at an office. As more employees work remotely, they will use more technologies to connect and collaborate, and they will store more company information in the Cloud and on various home devices with a range of setups and vulnerabilities. Bad actors, cyberthieves, and hackers will undoubtedly have greater luck exploiting the resulting chinks in the information security armor. Indeed, hackers and cyberwarriors began attacking the soft underbelly of corporate security—the devices employees use (sometimes their own and sometimes provided by the company) and the networks on which they connect—right after COVID-19 hit. Businesses must have a concrete plan to deal with these new realities and become more “information lean.”
This new environment is also accelerating digitalization, which is building better business processes through strategic use of technologies. That is important because it provides companies the opportunity to reevaluate what they are doing and why. Shifting through old processes allows not only new efficiencies to emerge, but also the chance to build compliance needs processes from the beginning, which can make them transparent and seamless. In other words, addressing issues such as privacy and security in planning and design phases of a project means it will not need to be retrofitted downstream.
The article will reveal some essential truths about the new reality for businesses after COVID-19 and the concrete planning required to become information lean.

The Truth About Home Workers

Employees prefer their own devices, so even if policy prohibits it, company information finds its way onto personal devices, which implicates privacy and security issues. The security protections in a personal environment tend to be less robust than in the corporate setting or in the Cloud. Thus, although home workers may limit a company’s computer and office expenses, they present different security challenges.

The Truth About Information Piles

Information volumes have been growing every year for many decades and will not stop growing unless something or someone intervenes. That is not happening very often in most big businesses. Piles tend to be ill-managed or not managed at all, and tend to mix important with unimportant information. That makes environments like the shared drive the perfect target of hackers because employees store all kinds of information there, including information that may have substantial value to the company like intellectual property. When it comes to information piles, the more information and the more locations, the greater the privacy and security risk. Competing interests (like Big Data proponents) inside any given company that will want more information for longer periods of time must be addressed.

The Truth About Security and Privacy

Information security has become a core business activity that requires resources, expertise, and vigilance. No matter how much money and effort you throw at securing information, hackers will be successful from time to time. So, information security is really about seeking to minimize the pain and harm exacted on the company.

The Truth About How Companies Got “Information Chunky”

Most businesses are keeping too much information, and some are keeping everything. The law of diminishing returns applies to information to the extent that there is so much that litigation response becomes a huge headache and significant expense. Lawyers are to blame in part for that reality. With the advent of electronic discovery, lawyers over-preserved because they thought it was the conservative position and did not want to be responsible for destruction of evidence. Once information was on legal hold, it often remained on legal hold. Unwinding the “preserve everything” approach to litigation response is challenging, especially if a company has lots of litigation. However, bad habits and over-retention must stop, and lawyers will be central in taking on this issue.

Remember Goldilocks to Become Information Lean

Most privacy laws and regulations make clear that less is more when it comes to privacy. That means keeping as little as possible for as short as necessary. In the case of the GDPR (the EU privacy directive), information must be retained no longer than its original intended purpose, but as short as possible to run the business and comply with the law.
In addition, although Big Data and analytics folks might want more data for longer, there are several important compliance and business drivers that militate in favor of keeping less. For the most part, information value goes down rather quickly after it is created and used, so keeping everything forever is bad business. The following chart helps explain the declining value of information over time while risk increases.

Moreover, as the piles grow, so does the challenge of protecting the growing volume of information because growth usually means more applications, more storage locations, and thus more ways for the bad guys to exploit information assets. Costs of storing more information make the overall costs go up, even if the storage unit costs go down over time. The volume increase and overall increase in cost is not to be ignored because someone fallaciously asserted that “storage is cheap.” Big companies may be spending hundreds of millions of dollars to store their information.

The take-away from the children’s tale Goldilocks and the Three Bears is simple: find the right bowl of porridge to eat and the right bed to sleep in. In other words, this pile of information is too big, and that pile of information is too small, but this pile is just right. Businesses must strive to be information lean by not keeping too much or too little. The Cloud helps and hinders in this regard. On the one hand, the Cloud has infinite scalability, which lets companies keep just what they need and not overbuild underutilized infrastructure. On the other hand, the Cloud has infinite scalability, and human nature (packratitis) and business pressures (Cloud providers want maximum revenue and stickiness by having as much of your company information stored there as possible) promote over-retention of information.

12-Month Plan to Be Leaner

What follows is a basic, pragmatic plan to become information lean in a post-COVID-19 world where more employees are working from home and company information is more exposed than ever before.

In this new reality, businesses must be more information-security minded and vigilant, more privacy-centric, and much more protective of their intellectual property. All that begins with being information lean.

For more business law content, visit businesslawtoday.org.

Entity:
Topic:

Randolph A. Kahn

Founder, Kahn Consulting Inc.

Randolph Kahn and his firm, Kahn Consulting Inc. (www.KahnConsultingInc.com), are recognized across the globe as leaders in information governance. Mr. Kahn has advised the U.S. and foreign governments, courts systems, and major multinational corporations on a wide variety of information issues, including e-communications strategies, privacy, social media policy, information security, electronic signatures, records-management programs implementation, and litigation-response processes. Mr. Kahn has been an expert witness in major court cases. He is a highly regarded speaker and a two-time recipient of the Britt Literary Award. He has written numerous published works, including Chucking Daisies, Email Rules, Information Nation: Seven Keys to Information Management Compliance, Information Nation Warrior, and Privacy Nation. Mr. Kahn teaches Law and Policy of Electronic Information at Washington University School of Law and The Politics of Information at the University of Wisconsin-Madison. He is currently working on a new book entitled, The Executive’s Guide to Navigating the Information Universe.