How We Help

We bring deep experience and practical problem-solving to bear in the following core service areas:

Data Retention

We help clients create and legally validate actionable retention policies and schedules. Your retention schedule is a practical, structural framework for all valuable information of your organization. This information framework is tied to rules for how all information (paper, electronic, or other media) will be managed throughout its lifecycle. The schedule establishes retention periods based on both legal requirements and business needs, and can also capture other important governance rules, such as custodianship, permissible media, and privacy and security controls. In addition, the schedule must also allow for practical implementation against the organization’s paper records and electronic data.

Schedule Validation

We review, validate, and update retention schedules for clients who already have a reliable schedule. Our resources include our proprietary dataset of retention legal requirements and considerations found in statutes and regulations of the U.S. federal system and each of the 50 states. We build on that foundation with industry and custom research tailored to each client. Our retention schedule work is directly compatible with big or small bucket structures and either legal group frameworks or direct assignment of citations and legal rationale to each record series. We can also identify and attach information legal requirements beyond retention, such as privacy and security controls and media requirements.

Schedule Creation

For companies that do not have an up-to-date, reliable retention schedule, we offer a range of efficient and cost-effective solutions. We can guide your internal project team as it assesses and identifies information types across your company’s functions. Or, we can conduct interviews in your business units and functional areas to capture and organize the necessary information. Either way, our years of experience  with retention scheduling across industries is an invaluable guide for this information gathering, so that you begin the process with the end in mind.

Data Management and Defensible Disposition

It’s not enough to have the right rules for your information – the rules must be implemented. We help refine your information policies and procedures to be more actionable. We also guide you in the practicalities of compliant and effective implementation, helping you solve problems and reach concrete, measurable objectives of information governance.

  • Developing departmental file plans and other structures to create traction for retention policies and schedules;
  • Selecting the right strategies for internally publishing retention policies and schedules, and deploying guidance and training for employees and other stakeholders;
  • Applying retention policies and schedules to workflows for managing paper records, such as control processes for records being sent to offsite storage;
  • Incorporating retention policies and schedules into data management systems, such as email systems, email archive structures, and enterprise content management applications;
  • Using retention policies and schedules in targeted information governance projects, such as defensibly remediating legacy troves of data or paper; and
  • Integrating retention policies and schedules into litigation readiness and legal hold processes in advance of litigation.

Data Security

Data security threats are multiplying – phishing, malware injection, device theft or loss, and insider involvement … the list goes on. And size doesn’t matter, because hackers are targeting small and medium-sized companies as gateways to other, larger prey. Organizations’ attack surfaces are expanding, and security is not solely the responsibility of IT – human vulnerabilities are often the most difficult to control.

The United States is a data security regulatory minefield, with requirements for security programs and incident response under the Gramm-Leach-Bliley Act, FCRA/FACTA, FERPA, HIPAA/HITECH, state information security and breach notification laws, FTC enforcement precedents, the PCI Data Security Standards, and ISO 27002, among others.

We help clients make sense of this complicated security landscape, with services for security compliance and risk management, breach response readiness, and critical security incident response.

Security Compliance & Risk Management

An information security program is more than a compliance requirement. Assessing risk and establishing effective, measurable security controls are essential elements for protecting your information assets. We work with you to:

  • Conduct data security risk assessments and compliance gap reviews;
  • Establish compliant data security policies and procedures;
  • Review data security agreements with service providers and advise on compliance oversight;
  • Provide data security compliance training;
  • Analyze data security risk allocation and cyber liability insurance coverage; and
  • Enable defensible disposition of unnecessary information, to lessen risk.

Breach Response Readiness

It’s a when – not if – world for data breaches. Your IT security team may have an incident response plan in place, but that plan will not prepare you for all that must be handled. Also, only a fraction of data breaches will first cross the radar of your IT InfoSec team.

When handling a data breach, many channels of activity must be accomplished in sync, such as Security, Legal, Forensics, Law Enforcement, Regulators, Insurance Coverage, Public Relations/Communications, Stakeholders, Notifications, and Personnel Management. Effective readiness requires understanding what may be needed in each of these activity channels, and also how to manage them simultaneously to avoid unnecessary delay, cost, and risk.

We help organizations lay the groundwork in advance for these response activities, so that structure, direction, and resources for dealing with critical data security incidents are ready when needed.

Critical Security Incident Response

When protected information is compromised or lost, we help you determine your legal responsibilities and next steps. We can guide you through the requirements and options for compliant incident response:

  • Incident investigation, including use of forensics experts;
  • Analysis of whether and how breach notification requirements apply to the incident;
  • Breach notifications, including use of notification service providers;
  • Legal holds for the security incident;
  • Coordination with law enforcement agencies;
  • Collaboration with public relations and crisis communications providers;
  • Assessment of liabilities of service providers and other responsible parties; and
  • Analysis of cyber liability and incident response insurance coverage.