Our unstructured data has grown relentlessly, with documents, spreadsheets, and slide decks stashed helter-skelter by employees in network and local drives. And thousands of boxes of paper sit in off-site storage, out of sight and mind. Finding the right information is a daily headache, slowing productivity. It’s hard to apply security controls to sensitive information because we’re not sure where it is. And I’m worried about spiraling litigation costs when we’re compelled to find, hold, and review data and documents for litigation.
The headquarters move is months away, but I’m already concerned about an information management train wreck. The new space is impressive, yet has far less storage space, which is daunting given our overflowing file cabinets. I winced when our move provider said we should have several “Shred Days,” imagining just how brutally that would be mischaracterized in pending litigation.
Email has overrun our organization. Email servers are at capacity, and countless messages and attachments are squirreled away in PSTs. An email archive or cloud repository seems like a magic fix, but these IT solutions simply repackage the same core problem: excessive email volume coupled with a failure to manage it based on value. It’s unclear what email is record worthy and, if so, what retention rules apply. We keep non-record email for years, without any legal requirement or business need.
We know we have data that needs protection – employee and customer personal information, and also confidential business information and trade secrets. Our IT group says that they have things under control, but that’s just for our network systems. What about all the ways that data can be compromised without our network controls noticing – a mistaken publication, an insider threat, a lost or stolen device? And what about our sensitive data in the custody of our service providers? Our regulators are cracking down on data security, and I’m not comfortable that we truly understand our risks or have adequate security policies and controls in place.
Our IT Security group is top-notch, with a computer incident response plan and team in place. But that merely covers IT Security activities for detect-contain-eradicate-restore. When (not if) we have a true breach, we’ll need to quickly and simultaneously handle many activities way beyond the role of IT Security, such as internal investigation; forensics; legal review of breach notification requirements, service provider responsibilities, and exposures; assessment and triggering of insurance coverages; law enforcement coordination; stakeholder reporting; notifications of regulators and individuals, and HR repercussions, among others.
Our internal auditors and our board are showing increased interest in just how exactly we are managing and protecting our data. In previous years, questions were usually cursory and in reaction to some specific event or issue. But now, these groups are taking a more holistic view of data as a corporate asset that must be identified, controlled, and protected….and this time they are serious.
We take governing information seriously. And that includes safeguarding the information our clients entrust to us.
Our firm has attained ISO 27001 certification of our information security management system, including our processes for client correspondence, client documents, firm work product documents, accounting and billing, and firm management.
The ISO 27001 external audit and certification process provides independent validation that our firm’s data security policies, procedures, and controls meet international standards for secure information practices.