ARMA International defines information governance as a "strategic cross disciplinary framework composed of standards, processes, roles and metrics that hold organizations and individuals accountable for the for the proper handling of information assets.

 

The framework helps organizations achieve business objectives, facilitates compliance with external requirements and minimizes risk posed by substandard information handling practices."¹ In simple terms, information governance is an organization getting its information house in order for its own benefit.

 

Information is one of a business's most precious assets. Yet big data — huge, complicated data sets that cannot easily be managed or reviewed with traditional data processing tools — can make information management extremely challenging.

 

According to a recent IDG survey (https://bit.ly/4az6kaz): "On average, data volumes are growing by 63% per month, and one in 10 data professionals reported that volumes are growing 100% or more per month."

 

Without a way to organize the rapidly growing amount and variety of data types, organizations are being bogged down by the same data they could leverage. IG strikes a balance between storing and archiving valuable information and deleting information that is no longer subject to legal obligations.

An effective IG program enables an organization to quickly find, distinguish, and collect records and documents relevant to a legal matter.

 

IG also helps ensure that decisions made about record retention and storage will benefit the entire organization by:

 

•Offering more efficient access to critical information

•Delivering reliable processes to manage eDiscovery

•Providing effective risk management

•Reducing costs through disposition of redundant or useless data

 

Critical components that should be included in an information governance program include:

 

•Policies and procedures: Written guidelines for how information should be handled throughout its lifecycle and how the quality, consistency, and integrity of data will be preserved.

•Records management directives: A formal procedure outlining the proper classification, retention, and disposal of organizational records.

•Security frameworks: Information concerning measures like encryption, access control, and monitoring to protect the organization's information.

•Technology and tools: Systems for data archiving, classification, eDiscovery, and analytics.

•Training and culture: Employee education on best practices and the importance of adhering to IG policies.

 

When creating an IG program, an organization should be accountable, compliant, efficient, authentic, and transparent in its efforts. While IG should be independent of any particular unit of a business, it should receive input from the entire organization so that it represents its needs and interests as a whole.

 

Here's one approach:

 

Obtain support from top management to ensure visibility, authority, and resources to maintain the program. Form a cross-functional team of key stakeholders from legal, compliance, IT, records management, operations, and other relevant business units to ensure that the program meets legal requirements and business needs.

 

Identify and categorize all information assets — both structured and unstructured data. A careful examination of existing policies on document retention can eliminate unnecessary information, create an organized structure to locate and obtain data across the organization, reduce the risk of a data breach, and save money by reducing the volume of data that must be stored. More data = higher storage costs and legal exposure.

 

Connect IG objectives to organizational goals like compliance, operational efficiency, risk reduction, avoiding information silos, promoting efficient sharing of information, and reducing duplication of effort. Try to set measurable goals to track progress, e.g., reduced storage costs or enhanced data quality.

 

Draft a data map that documents where the organization's data lives, its format, and how it travels throughout the company. This data map will help confirm that all relevant data is preserved and help facilitate the overall data collection process. When litigation arises, review your organization's data map to learn where the relevant data sources can be found within the organization's systems. Treat a data map as a living document by updating it periodically to reflect the most up-to-date state of the organization.

 

An information governance framework (IGF) defines how an organization manages its informational assets. The framework should set forth clear guidelines regarding data classification, retention, access control, privacy, and deletion throughout its lifecycle. Draft processes for implementing and enforcing IG policies to ensure regulatory compliance.

 

Use automation to streamline eDiscovery processes, data classification, retention, archiving, encryption, access controls, and the protection of sensitive information. One critical technology used in IG programs is data loss prevention (DLP software), which monitors and controls the flow of sensitive information to prevent unauthorized access and data leaks.

 

A critical component of a well-designed IG program is the training of employees and the communications used to integrate the policies within the organization. You should offer all employees ongoing, comprehensive training on information governance policies and procedures. Training should also provide guidance to help employees determine when they should seek assistance and where to obtain that assistance.

 

When you create your IG program, conduct an initial data audit to gain an understanding of where the organization's data is stored, its format, access levels, and potential risks. Moving forward, conduct intermittent audits to continuously review organizational compliance with IG policies and make adjustments based on your findings. Track key performance indicators to measure your program's effectiveness, using audit results to improve processes and tools.

 

Here are some recent examples of how a lack of information governance resulted in unfavorable court rulings and fines:

 

•DR Distributors, LLC v. 21 Century Smoking Inc., (https://bit.ly/4gcTuAa). The Court in this 2021 trademark infringement case found it is essential that counsel familiarize themselves with their client's IG program to comply with their discovery obligations, and implied that in this age of big data, courts expect parties to have IG programs. The Court imposed discovery sanctions on the defendant for failure to preserve specific information and misrepresenting the location of information, consequences of a non-existent/poor IG program in addition to the defendant's "dishonesty and lack of candor."

 

•In re Google Play Store Antitrust Litigation (https://bit.ly/3E1XNAM). In this 2021 multidistrict litigation, the Court ordered Google to pay monetary sanctions for not taking reasonable steps to preserve electronically stored information (ESI). The company had followed its own information governance rules directing the deletion of employee Google Chat messages after 24 hours, violating a September 2020 litigation hold. Google disregarded the hold, allowed the auto-deletion to continue, and let its employees decide whether a chat was relevant to the litigation or not.

 

•In re Keurig Green Mountain Single-Serve Coffee Antitrust Litigation (https://bit.ly/42q1daJ). In this 2023 case, noncompliance with preservation requirements in an ESI protocol exposed the parties to significant sanctions under Rule 37(b)(2)(A). The Court found that the defendant failed to produce relevant ESI from several custodians, requiring the plaintiffs to investigate the defendant's preservation and production deficiencies to recover lost data. Although the defendant's IG policy established a reliable repository for business records, it made no guarantee that employees followed the policy by saving documents on the corporate system.

 

In sum, any organization that wants to compete at the highest level in the current market, while navigating a myriad of legal and regulatory hurdles in its path, must implement an IG program with a clear set of guidelines regarding how its information will be handled. An effective IG program recognizes information as a valuable asset and helps ensure that it is handled to the benefit of the Organization.