High-profile security breaches, the ever-growing volume of corporate data and increasingly complex regulatory and technical environments emphasize the need for enhanced enterprise-wide information governance (IG). The mission of many corporate law departments is to help protect their organizations from unnecessary risk and exposure. Therefore, many corporate law departments are facing increased pressure to help reduce the risk that is inherent in unmanaged and uncontrolled information.
To better understand the priorities and challenges associated with IG that corporate law departments face, we conducted a survey during our annual HBR Law Department Survey roundtable series in New York, Chicago, San Francisco, and Houston. The survey of 33 law department leaders found that while they continue to focus their attention on department-specific issues, about half are also actively engaged in their organizations’ enterprise-wide IG efforts.
Not surprisingly, the two primary drivers for pursuing enhanced IG are increased compliance with regulators and reduced risk of a privacy breach or cyberattack. Though both are viewed as “must haves”, privacy breach risk reduction slightly edged out regulatory compliance in importance. In fact, the fear of a privacy breach, and related loss of reputation and market share, is a key driver behind many defensible disposition initiatives.
While forward-thinking law department leaders see privacy and security as a priority, many still view it as a purely IT issue. Only 40 percent of those surveyed stated that their organizations’ policies were used by most employees, and 23 percent felt their policies were difficult to understand and follow. To close this gap, organizations should integrate simplified policies and processes and implement supporting technologies that make information governance “invisible” to the end-user.
In our survey, we found three areas in particular where organizations can improve upon their IG programs.
- Records Retention. A records retention schedule defines how long information must be kept and guidelines for disposal based on regulatory, legal, and operational requirements. The retention schedule is foundational to successful information governance since it dictates an organization’s disposition and preservation actions. However, we’ve found many organizations’ retention schedules are overly complex, potentially resulting in a lack of compliance. In fact, less than half of the law department leaders we surveyed felt their retention schedules were user-friendly. Furthermore, fewer than half feel their retention schedule is actually being applied in either their hardcopy or electronic recordkeeping environments. To address this low rate of retention schedule compliance, many organizations are in the process of updating outdated retention schedules that were developed at a time when the majority of records were still in hardcopy format. Today, with more than 90 percent of corporate information in digital format, retention schedules typically require consolidation and simplification to be “actionable” in a predominantly electronic environment.
- Email Management. Although email systems have been in place for over 20 years, effective email management remains elusive for many organizations. Rather than managing email by the value of its content, most organizations continue to manage it by arbitrary time periods, applying an auto-delete policy to email aged over a specific time period such as 30 or 60 days. Other organizations impose a size limitation that prohibits employees from sending or receiving emails once the maximum volume is reached. The problem with both of these options is that they incentivize employees to move email outside of their mailboxes in order to keep the information for extended periods. In fact, over half of the companies surveyed still allow the use of personal archives (PSTs), which provides employees a simple way of avoiding the time or size based limits on their mailboxes. Since such habits can thwart eDiscovery efforts, we’re seeing organizations trend towards discontinuing the option to personally archive email messages.
- Securing the Cloud. Spending on public cloud infrastructure as a service and software was estimated to reach $38B in 2016 and continue to grow to $173B by 2026 . Given that cloud-based services continue to grow in popularity, it is not surprising that close to 75 percent of law department leaders said they will have transitioned to Office 365 within the next 12 to 24 months. The move to the cloud is not only attractive from a cost perspective, but also its ability to better support employees’ mobility and collaboration needs. What is sobering, however, is that over 45 percent of respondents stated that they do not have a process in place for ensuring that their cloud-based data is being managed in accordance with their governance policies. Companies need to start accounting for the cloud when designing and implementing their programs, or their programs will fall short in mitigating risks.
Moving forward, law department leaders should support a holistic, end-to-end approach to enterprise-wide IG programs, including policy development, technology strategies and business process improvements. This will allow their organizations to better address the challenges outlined above and improve the overall success of their IG programs.