2. “The rise of big data, social networking,
and mobile interactions, coupled with an
accelerating increase in the amount of
structured and unstructured information
enabled by cloud-based technologies,
is forcing organizations to focus on the
enterprise information that is most relevant,
value generating and risk related. Gartner
predicts that by 2017, 33% of Fortune 100
organizations will experience an information
crisis, due to their inability to effectively
value, govern and trust their enterprise
information.” (Gartner, May 2014)
3. Organizations attempting to implement a viable information governance framework that will ensure
long-term health must comply with applicable statutes and regulations. Information must be managed
so legal holds can be implemented consistent with the good faith and reasonableness required by courts
and regulatory agencies, while protecting the privacy of information maintained on individuals. For both
ease and efficiency in obtaining a viable IG framework, information should be eliminated when it no longer
serves a valid legal or business purpose.
The largest organizations often respond to a query regarding their retention policies with, “We keep it all.”
Decision makers may mean well, given the impact of the Sarbanes-Oxley Act and sanctions imposed by
courts when evidence cannot be delivered, but such action is likely to have detrimental impacts on the
organization. Maintaining large amounts of data and physical information not only is expensive but also
creates difficulties in locating information critical to the ongoing business. It creates vast amounts of
information that might be required to be produced in litigation, or in response to a governmental audit,
and potentially houses private information relating to individuals that is susceptible to a breach.
Organizations are reluctant to eliminate digital debris because they:
• Don’t know where to start
• Can’t bring information stakeholders to the table
• Can’t demonstrate urgency
• Can’t clearly demonstrate negative cost and risk impacts
• Can’t build a compelling business case
Experts at Berkeley Research Group address these issues on behalf of an organization and communicate
relevant findings to appropriate decision makers. Building a compelling business case by demonstrating
costs and risks is not difficult in light of the current information growth and changes in laws relating to it.
BRG experts focus on both costs of inaction (COI) and returns on investment (ROI). The following graph
illustrates risks and costs associated with the inability to dispose of information that no longer serves
an organization’s interests.
Source: Interview with Deidre Paknad, Corporate Counsel (March 28, 2013)
4. BRG experts will advise an organization’s stakeholders in the development of an information governance
framework and then identify appropriate stakeholders who need to be involved in its implementation.
Our experts will work with the stakeholders in creating an information governance roadmap to meet the
initial, critical goal of defensible disposition.
Attempts to create a solid IG framework will bring those tasked with this formidable challenge face to
face with three converging scenarios that must be addressed simultaneously:
PRIVACY AND SECURITY
In the United States, data breaches of private and personally identifiable information (PII), as well as
hacking of business and trade secrets, have become commonplace. Organizations have scrambled
to determine whose information has been compromised and to notify individuals of such breaches.
C-level executives have lost jobs over their companies’ mishandling of breaches. In addition, damage to
a company’s reputation due to the scrutiny of its inadequate information governance serves to motivate
others to remedy inadequate IG frameworks.
While U.S. organizations are bound by state laws specifying the time requirements for breach notification,
companies doing business with European Union (EU) citizens will be bound by stricter notification timeframes
and more defined requirements for the handling of PII. Broader definitions of PII imposed by the proposed
SIMPLIFY: Approximately 70 percent of information maintained by an organization is information debris.
69%
1%
25%
5%
CORPORATE
INFORMATION
According to a 2012 Compliance, Governance and Oversight Council (CGOC) survey, at any given time, 1
percent of corporate information is on litigation hold, 5 percent is in a records category, and 25 percent
has current business value.
5. EU Directive, expected to pass in late 2015, could have profound impacts if “dark” data contains information
considered PII. Since PII is being defined by the EU as any data that can be combined with other data to
identify an individual, more information will need to be captured in a controlled environment. Retention
schedules will be required. EU protection levels underscore the need to mask all non-active PII to prevent
the catastrophic results possible from a data breach.
Moreover, insurance companies are beginning to perform audits on how PII is handled to determine
premiums. The areas of particular concern are the ability to comply with breach notification laws; the
sophistication of data classification schemes for isolating information that needs to be protected through
encryption, masking, etc.; and the presence of an implemented records scheduling system to ensure
the timely disposition of information that no longer serves a business purpose but increases exposure if
breached.
RECORDS MANAGEMENT
With increased regulation, expansion of record types, global reach, and organizations’ general failure to
adequately identify information of value, most organizations lack a scheme that will enhance the operation
of daily business while protecting against liability on a variety of fronts.
A sound records management system would:
• Support event- and time-based retention rules according to global, federal, state, and local laws
• Create a structured file plan to organize records and enforce complex policies/rules
• Enable legal holds, effective audits, and electronic evidence discovery
• Ensure record authenticity, integrity, and contextual relationships
• Adequately preserve records and ensure reliability
• Enable quick record access and retrieval
• Prevent unauthorized deletion
• Ensure timely disposition and complete record deletion, when appropriate
• Ensure privacy and record security policy management
• Support physical records
DEFENSIBLE DISPOSITION
Storage costs that once seemed like a bargain are becoming prohibitively expensive. In addition, large
amounts of stored data increase the amount of information required to be produced in litigation or during
regulatory audits (and costs associated with production), inhibit the ability to determine the merits of a
cause of action, may lead to production of information detrimental to a business’s interests that could
have been legitimately discarded, and increase the chances that relevant information cannot be located.
Information of value to the organization’s operations becomes more difficult to access if housed in
burgeoning data repositories.
A reduction in storage costs can be achieved by developing an IG framework that ensures defensible
disposal of up to 70 percent of currently stored data. Analysis of physical documents and their continued
value to the business is likely to result in further cost reductions. The application of analytics to legacy
data and stored active data can lead to more-efficient data storage, with successful storage reduction
leading to a reduction in employee costs, in the total cost of ownership of storage and IT infrastructure,
and in litigation and compliance risk.
To address the critical areas of privacy and security, records management, and the storage costs and
information chaos resulting from Big Data, BRG offers the following services:
6. ASSESSMENT OF AN ORGANIZATION’S
CURRENT IG STATE
To assess the state of an organization and its readiness to
defensibly delete information, BRG experts evaluate the
maturity level of processes throughout its departments.
The goal then becomes to help each area meet the maturity
level required to assure that all information that needs
to be saved will be. When all areas have reached their
maturity level, large-scale deletion will be defensible.
POLICY CREATIONS
BRG experts can create policies based on a solid
understanding of a business’s information needs, statutory
and regulatory requirements, and effective legal holds.
They can review and recommend changes and/or updates
to current policies related to privacy and security, records
management, data classification, data quality, email
management, “bring your own devices,” Internet of Things,
etc.
RECORDS MANAGEMENT SCHEDULING
Our professionals can identify records that should
be included within a records schedule, document the
categorization of current and suggested records, develop
schedules and determine the best source for applying
retention requirements, and implement chosen schedules.
EDISCOVERY PREPAREDNESS: LEGAL-
HOLD WORKFLOW DEVELOPMENT AND
IMPLEMENTATION
Our experts can ensure that legal holds are implemented
in a legally defensible manner by confirming that a system
is in place to ensure adequate holds of relevant data once
litigation or regulatory action is reasonably anticipated.
SECURITY AND PRIVACY MANAGEMENT
BRG professionals can provide privacy assessment and
advice regarding data privacy and data security issues.
All active data containing PII needs to be housed in a
manner that allows immediate access and action to comply
with state data breach laws. Our experts can assess
weaknesses in privacy security that could lead to future
breaches, and aid in classification measures to ensure
both security and quick access to sensitive information.
Our team can also develop response plans in the event
of a breach to limit potential liability.
7. DATA CLASSIFICATION TO SUPPORT PRIVACY PROTECTION, SECURITY, AND
RECORDS SCHEDULING
Current best practices require the classification of data according to its sensitivity (i.e., is it for internal
use only, public, confidential, or secret?). Providing accurate data classifications leads to the ability to
meet statutory legal notification requirements. BRG experts can advise your organization in determining
the best methodology to effect sound data classification and aid in ensuring that appropriate employees
are aware of their responsibility in creating and maintaining a secure data system. BRG professionals
work with clients in developing a framework that captures necessary metadata and other criteria to meet
the needs of eDiscovery, records management, defensible disposition, data privacy and security, and
knowledge management, while ensuring compliance with all relevant statutes and regulations.
ASSESSMENT OF THE VALUE OF LEGACY DATA
Our professionals can leverage data analytics to identify document value and risk. Most organizations’
repositories are too large to be analyzed solely by using current staff. Analytical software packages exist
to sift through large amounts of data to determine content based on predetermined criteria. It is important
to determining what software would serve an organization best in analyzing its own data most effectively
with the least amount of cost. BRG experts can aid in the choice of this tool as a vendor-neutral consultant.
TRANSFORMATION MANAGEMENT: MANAGING AND IMPLEMENTING POLICY
AND PROCEDURAL CHANGE
Adoption of a solid information governance framework may require a fundamental change in culture
and processes throughout the organization. Achieving the necessary level of process maturity requires
interrelationships that may not have existed. BRG experts can advise in identification of the primary
stakeholders required to participate in the transformation of processes and ensure they are aware of the
steps they need to take for successful transformation. We can also train all levels of the organization.
KNOWLEDGE MANAGEMENT: ORGANIZING ACCESS AND RETRIEVAL OF
CRITICAL WORK PRODUCT AND/OR BUSINESS INFORMATION
Our experts know that much hesitation to dispose of information is based on the fact that previous work
is contained within a targeted repository. We work to identify and ensure easy access to work product
perceived as having continuing value to the organization. (Often, this is achieved by accurately identifying
business records within the records management system.) Creating a knowledge bank not only makes
professionals more comfortable about deleting unnecessary information, but also preserves work that
can be used in future representations or other dealings, enhancing the ability to create quality work at
less cost, with less time and less effort.
SOFTWARE ACQUISITION ADVISORY SERVICES
With the growth of Big Data, many aspects of information governance can no longer be handled by adapting
processes and training people. BRG stays abreast of technology that addresses current needs in all
aspects of information governance. Working with an organization’s current technological environment,
our experts advise in software acquisition and negotiating the optimal price.
8. ABOUT BRG
Berkeley Research Group, LLC is a leading global strategic advisory and expert consulting
firm that provides independent advice, expert testimony, litigation and regulatory support,
authoritative studies, and document and data analytics to major law firms, Fortune 500
corporations, government agencies, and regulatory bodies around the world.
BRG is headquartered in Emeryville, California, with offices across the United States and
in Asia, Australia, Canada, Latin America, and the United Kingdom.
Berkeley Research Group, LLC, including its subsidiaries, is not a CPA firm and does not provide audit, attest, or public
accounting services. BRG is not a law firm and does not provide legal advice. BRG is an equal opportunity employer.
1.877.210.5246 THINKBRG.COM