There is a lot of misunderstanding around information governance and what it really entails. Below are a few common misconceptions about IG and an explanation of the true state of IG.
Information Governance is Too Hard
Information Governance is exactly what it sounds like -- an integrated program that:
- values business information as company assets
- employs physical, technical and administrative safeguards to protect and manage information assets
- educates and trains personnel
- uses metrics to measure and improve performance. It can be run “in-house,” by a Chief Privacy Officer (CPO), a Chief Information Security Officer (CISO) a Chief Information Officer (CIO) or any combination, or it can be outsourced.
In any case, the essential principles of any good information governance Program are well-established and follow common sense:
- Identify what information assets you have, and assess your business risk for using them
- Protect the information with reasonable care
- Detect any potential compromise
- Restore your systems & processes to operational status
- Recover, mitigating any harm, and go forward profitably.
Information governance requires thought, planning and execution, as one would expect of any significant business activity. But, like other acts of good corporate governance, it merely requires commercially reasonable action that amounts to due care for the company’s assets.
Information Governance is Too Expensive
Small and mid-size firms sometimes believe – incorrectly – that they “cannot afford to pay for compliance.” Yet, according to a recent study, the cost of non-compliance is almost three times the cost of compliance. And, like many other business functions and processes, Information Governance can be effectively outsourced, at greatly reduced cost.
Another mistake made by small and mid-size businesses is to simply leave information governance to the IT department. Yet, it is virtually impossible for the IT dept. to have the legal, regulatory and cybersecurity knowledge -- or the decision-making authority -- necessary to implement an information governance program, across the company. Information governance is an enterprise risk management function that must be overseen by the C-suite or the board, and taken as seriously as the company takes finance and operations.
While some businesses may be tempted to simply add these duties to the existing portfolio of the general counsel or chief financial officer, this is impractical unless these individuals have extensive training or subject matter expertise in data privacy and/or cybersecurity. While it gives the appearance of dealing with these issues at the C-suite level, it really just overburdens an officer who is left without the resources necessary to fulfill the mandate.
Worst of all, many small to mid-size businesses just ignore the problem, hoping it will just go away. One in four small firms have little to no understanding of cybersecurity issues. This often ends in completely unnecessary disaster, and it is often not even due to malicious, outside “hackers.” Many times the culprit is a lost or stolen laptop, papers left in a public place by an employee, or a trusted vendor whose personnel discloses information that was entrusted to your business. A culture of privacy and security -- of information governance – is designed to help mitigate these concerns.
Information Governance is Not For Our Industry
Consumers and employees expect companies to safeguard their confidential, personal information, as the law requires, regardless of the industry.
Studies show that:
- almost 40 percent of consumers made buying decisions based upon privacy concerns
- 27 percent of millenials abandoned a purchase online because of security or privacy concerns
Class action lawsuits are commonly filed by consumers and employees whose personal information was revealed in a data breach. Regulators also regularly file and take other actions to protect the public and its information.
Whether it is competition for customers or for the best employees, or simply avoiding fines, penalties and the heavy costs of a data breach, a business that is good at Information Governance should perform better in the marketplace.
By Kevin Bley