- August 23, 2023
Episode 33: Effectively Managing Data in the Age of Emerging Privacy Laws
- | | | | |
Bill Tolson: Welcome to Archive 360's Information Management 360 Podcast. This week's episode is titled effectively managing data in the age of emerging privacy laws with Mark Diamond. My name is Bill Tolson, and I'm the vice president of compliance and e-Discovery at Archive 360. Joining me today, as I said, is Mark Diamond, President and CEO of Contoural Incorporated.
Mark, can you talk a little bit about your company and its areas of focus?
Mark Diamond: Thank you very much, Bill. Happy to be here today and talk about this topic. Contoural is the largest independent provider of records management, privacy, and information governance consulting services. We work with more than 30% of the Fortune 500, many, many small and mid-size corporations, a number of nonprofits, state and local governments, as well as federal agencies. We do more information governance consulting than anybody else out there, and we do that on a global basis.
We're independent. We don't sell any products. We don't store any documents. We don't do any reactive e-discovery. And so our clients really appreciate the fact that when we talk about technology or make a recommendation, it's based on their needs, not because we've got some product we're trying to sell them. And we can talk about products today. Again, we're very independent.
Bill Tolson: Thanks, Mark, really appreciate it. And I know Contoural is involved in lots and lots of great companies. I know firsthand. But to the audience, the topics that Mark and I will be discussing today include information governance, information management, data minimization, data privacy, and how it will affect information management.
So with that, let's first focus on information governance and data governance. And Mark, you and I already talked about this, but we wanted to highlight this. Your company works with many of the largest corporations across several disciplines, like you said. To set the stage, I'm sure you run into this all the time, but I hear the terms information governance and data governance used interchangeably. So what is data governance and how is it different from information governance?
Mark Diamond: A lot of confusion in the industry on this. We believe that information governance is complimentary, but separate than data governance. Typically, information governance includes records management, e-discovery, parts of privacy, behavior change management, enterprise content management, and it typically focuses on paper and semi-structured emails, unstructured, and is beginning to delve into structured data.
Information governance is really programs designed to ensure compliance, reduce risk, reduce cost, make individual employees and groups more productive. Data governance in our view is really about how do we leverage mass stores of data, whether it's in database systems, other applications, and sometimes in unstructured data, occasionally in semi-structured data, to answer big questions. Who should we sell to? How should we price our product? What market should we be in? Where should we be focusing in?
Data governance often includes data architect and information security, data modeling, data warehouses, business intelligence, all very good and important things, but in our view, a little bit different than information governance.
Now, there's a lot of confusion about this. We go to information governance conferences and the IG folks say, "Oh, data governance. Well, that's a subset of information governance." When we go to the data governance conferences, people say, "Oh, IG, that's actually just the subset of data governance," and so there's a lot of confusion back and forth on this. We believe that these are separate activities.
Now, to make it even more confusing, we work with a lot of companies that have a data governance group that they do information governance. That's fine. To some extent, I don't really care what you call it. Call it information data governance, call it data information management or information governance. Let's not get hung up on labels.
Let's talk about what we're going to do and how it's a little bit separate. And usually, when we explain this, a lot of times the CIO will be at the table and he or she will say, "Aren't we already doing data governance?" And we explain it, and they go, "Oh, okay," and so we work with many, many companies that have complimentary and parallel information governance and data governance work streams.
Bill Tolson: No, I love that differentiation in the description. I know you mentioned this as you were just talking. I'm going to focus on it again just for my edification. I use the term information management a lot. How does that fit into the other two terms you just talked about?
Mark Diamond: I think they do. Information management is, well, basically how do we not manage data, but how do we manage information? We find some organizations that like to use the term information management. Sometimes information management entails knowledge management and leveraging, which is all good. But again, at a certain point it gets fuzzy of what's what.
Essentially, it's how can we understand what we have and save the right stuff, and collaborate and share it and get value from it. And do that consistently across the enterprise. Again, what we call it doesn't bother me. And again, if an organization already calls it something, we're working right now with a large insurance carrier and they're like, "We need to call this records management." That's fine. Again, let's not get hung up on labels.
I run into this with ARMA sometimes, sometimes we get indefinitionitis, where we try and define something and we're trying to use it as a way to leverage real estate. While the official definition is this, and therefore we should have purview over this entire project.
Well, I'm not crazy about that approach. I think we need to be a little bit more collaborative and figure out what we're doing, and then we can figure out how to divide it up.
Bill Tolson: Yeah, I like your thought on call it whatever you want, there's certain things we just need to get done. It sounds simplistic in everything and even bringing these up, but these terms are things that, like you say, with various groups get battered around a lot and people almost take them personally.
So I like the attitude of just call it what you are used to calling it and let's move on. Here's a question I'm sure you get a lot, especially when you're first going into a new client or something. Who in a given organization should own information governance, and/or data governance, and whose budget should pay for it?
Mark Diamond: Well, that's a question we get a lot. And often, our answer disappoints. The legal people want us to say that IT should own and pay for it. The IT people say that legal should own and pay for it. The privacy people want somebody else to do privacy stuff. So this is a little bit of a hacky sack that gets kicked around a little bit.
Let me talk about who doesn't typically own it. There's been a lot of discussion in our industry about the chief information governance officer, somebody who has both line responsibility and budget responsibility for all aspects of information governance. I call that the sasquatch of compliance.
There's pictures of information governance, true information governance officers. I've actually never met one. There's a handful out there, but almost in every single organization, information governance programs are run by a steering committee that includes legal, IT, risk, compliance, finance, HR, privacy. It pulls all the different stakeholders into the table.
Oftentimes there's a working committee and that reports up to a senior management committee. Matter of fact, we do a lot of work with organizations helping them define what their structure should look like.
The reason is is that this requires a series of very different skills across different groups. There's a legal skill involved, there's a new discovery, there's a privacy skills involved, there's a record skill, there's clearly a technology skill. There's a behavior change management training skill, which can sometimes fall into HR.
No single group really has the capability or the skills nor the mantle to handle all these different elements. And so this is sometimes the elephant in the room question, because a lot of times the legal group will say, "Hey, we need to do this." They wanted to see it done, but they're afraid if they bring it up that they're going to end up owning it.
And also from a budgetary. And clearly there's not a lot of money that's sloshing around that somebody can do.
Hey, if you do, call me. Unlikely. So almost always, and again, we work with 30% of the Fortune 500, almost always, it is really a divide and conquer approach with a number of different stakeholders.
Bill Tolson: Wow. No, in my dealings with possible clients and stuff like that, I think I find the same thing. There is no hard and fast rule that says it reports under legal or something like that.
So yeah, it usually depends, obviously, on the culture of the company and the industry, and all kinds of other things.
Mark Diamond: And it's not untypical to be spearheaded by a director of information governance for a manager or somebody, but that group oftentimes reports into the steering committee. And then what their job is to do is to help corral all these different work streams, oftentimes managed by different sponsors to help them in. And that's actually very typical too.
Again, having a director of IG or a manager of IG. Or we can call it a manager, information management, or records management as we talked about previously.
Bill Tolson: Yeah, we've been talking about information governance and data governance, and in what I think is a related topic, for information governance and information management, data governance platforms, have you noticed, and I'm going to put it in my terms, a major movement to the cloud over the last several years?
Mark Diamond: Absolutely. We are seeing almost all companies move to the cloud. Every now and then we run into somebody that is suspicious of the cloud and from an information security perspective. Or sometimes it's "We want to do this ourselves."
But just about everything these days are going to the cloud, just because it's easier just from an information security perspective, Microsoft, whomever your cloud, Amazon or whoever your cloud provider's going to be, they've got hundreds of information security specialists.
Would you rather have hundreds of people protecting your information or five? So we're seeing that and much, much less resistance. It's really the late adopters at this point that are not moving to the cloud or moving big parts of it.
Now, I should mention this. Many organizations have moved to the cloud, very few have actually fully implemented governance within the cloud. More often than not, it's just a shift in place. I would say 60%, 70%. We did a webinar, and the 60% to 70% have minimal governance control. So it's just like we're using the cloud basically as a large shared drive. They're thinking about it, but we're still seeing adoption of governance in the cloud.
Bill Tolson: Wow, that's somewhat surprising to me. I know we've seen and we've had potential clients lately, in the last six months or so, wanting to move their file shares up into the cloud, maybe up into SharePoint online or something like that. But like you say, with little governance. They're just looking to put it somewhere.
And we'll get into this later in the podcast why that's not necessarily the best thing to do is just to dump it somewhere. But on the cloud side, and everybody listening to the podcast probably knows Archive 360, we offer cloud applications.
And we work closely with Microsoft, very closely, and I know that literally they have thousands of data security people, infrastructure security people, that work for them. And you brought this out very succinctly. Do you want thousands of people working on the best security or do you want one, two, or three that aren't necessarily up to date on prem?
One of the best, I think, advantages of the cloud, besides potential cost savings, is security. Because with the cloud, all the cloud providers, they're updating security issues with patches and stuff instantaneously, where we've all run into companies where their IT people hadn't had time to update their servers with the last three security patches. And on-prem solutions, on-prem installations are a major topic just because of that.
So I think the whole security aspect of cloud is really interesting. By the way, the other reason that we've heard of obviously a mass migration to the cloud is is that technology stack in those various clouds are constantly growing like an AI / machine learning stack.
Mark Diamond: Oh yeah, I agree. And the innovation in the cloud is much faster than innovation in other places. In some respects, it's a challenge to keep track of what features are available, which is a great problem to have. Wow, I didn't know that did that. And so how do we leverage that?
Bill Tolson: So you mentioned that information management, governance types of applications really aren't being adopted in big ways in the cloud yet. Do you have any thought on why that is?
Mark Diamond: Well, I should say we see a lot of companies that are on the verge of beginning to adopt it. We see a lot of companies that are beginning to use this, and I would say we have a number of clients that are very successful implementing a full information governance framework in the cloud.
What happened is a lot of companies, when they originally moved to the cloud, they did it for financial reasons. They did it because they wanted to get rid of their on-prem, they wanted to get rid of those costs, other things like that. And obviously that was hastened during the pandemic. Companies said, Hey, we really got to do this. And they did that.
They shifted all their data, and now they're waking up saying, "Wow, we've got lots of data out there, which is all over the place, we really need to put some governance on that."
Or they've done some minimal. Maybe they have some retention or maybe they have some data security, but most companies don't yet have a full governance framework. Most companies I think are moving that direction and they're moving it to that. To be honest, I think a lot of the IT groups are just getting a breath of air after all of the work from home and other challenges they had during the pandemic.
Now they're putting this as the strategic roadmap, and we are increasingly seeing companies that are approaching us now to do fairly large governance projects in the cloud for 2023. So I think it's more of a timing thing at this point and an adoption. But we're entering a product adoption lifecycle talk is the early majority or main majority for implementing governance in the cloud.
Bill Tolson: Wow. Well, hopefully you've seen this that we've seen, that the federal agencies are obviously moving to the cloud because of presidential directives, executive orders, NARA requirements, all kinds of stuff. So we're noticing, and we deal with many of the very large federal agencies that are either in the process or have moved to the cloud for all the various reasons, but also because of directives.
Last May, President Biden had executive order 14028, which basically was a cybersecurity executive order, but also said speed up your movement to the cloud and do it now. So I think the federal space is very active, especially with federal clouds and all kinds of other stuff.
But I think in the last year or two, it's been almost a stampede for federal offices and agencies moving to cloud for cyber security and all kinds of other reasons.
Mark Diamond: No, I agree. And we're seeing that too. And it used to be that a lot of federal agencies were laggards. We're actually dealing with a state department who historically state government has been a late adopter. They're cutting edge, they're actually doing some really good stuff. So we're not seeing it limited, as you say, just to the commercial space.
Bill Tolson: So maybe they'll be able to respond to a FOIA request in time now.
Mark Diamond: Oh yeah. Well, some of them are actually pretty darn good. I'll say that, and I can be a tough critic sometimes. But no, actually you're good.
Bill Tolson: Good. Yeah, I know several years ago, before the pandemic there were major federal agencies that were response laggards when it came to FOIA. And I'm not sure what lit a fire under them, but yeah, like you say, I've done many webinars and some podcasts and other things around specifically, for federal agencies, around FOIA response and things like that.
And by the way, for everybody listening, FOIA is Freedom of Information Act.
Mark Diamond: Sunshine Laws.
Bill Tolson: Yeah, and all the states have them. I think almost all governments have them by law, but with the pandemic and potentially a lot of agency personnel being not in the office but all of this data is still flown around, I know I had several agency people tell me it was much harder to track down information requested in FOIA because of the potential, all the data being spread around in all kinds of different areas that they weren't used to.
So I think that's coming back. So let's focus a little bit more on a subset of the information governance, data governance, and that's data minimization.
And I'm going to relate this to privacy laws, but there are other reasons for data minimization. And please mention them, Mark. But a core principle of GDPR Article 5 and California's CCPA/CPRA and several other state privacy laws, as well as foreign privacy laws, is data minimization.
So Mark, can you just define what data minimization is?
Mark Diamond: Data minimization basically says there's certain types of sensitive information in the world of privacy, specifically personal information, that limits how long you could retain it to a legitimate business purpose. It says you could have this, but you can't keep it forever.
And so companies are now beginning to realize, in Europe there are some specific [inaudible 00:18:11] that define what makes a legitimate business purpose. California tends to be a little bit more fuzzy. And the other emerging state privacy laws, it's a little bit more fuzzy. But overall it says some of your information is sensitive information and you can't keep it forever. And there are other rules associated with that that we've talked about.
Somebody asks for what you have on me, can you do a subject access request and be able to produce it? Can you delete your information on me? I don't want you to have it anymore. Being able to delete it.
And I think that most US companies haven't really woken up yet to the realities of implementing privacy programs. Let me talk a little bit about what I mean. Privacy, almost all companies, most companies, have notices on their website, which is great.
They know what personal information they have, but many don't realize that their personal information exists in many, many places throughout the enterprise. When we go in and do a personal information inventory, and we do a lot of privacy services, typically the client will say, "We have X amount." And we find that they have two X or three X of what they actually have. So they have a lot more personal information in a lot more places.
Too often they think, Oh, we're just going to look at our customer database. Well, yeah, that's good. You have an application, but typically personal information can live in unstructured data, in files and emails, excerpts of databases, all these different places out there. These rules don't say, oh, just track it in your largest databases. You have to find it wherever you are.
And we're now beginning to see organizations waking up to the realization that we got lots of stuff all over the place, and it's becoming a big issue. We're dealing with a client right now, they're working with a works council. They have a subsidiary in Europe, and one of the works council in Europe is basically saying for their internal group data transfer agreement, Germany is saying, you can have information on German employees and you can transfer it to a less secure, less rule following place in the United States, but we have to have an agreement of what you need to do.
And increasingly, like this company is realizing, is that they have to update those transfer agreements. And Europe is getting much stricter saying, whoa, tell me how are you doing it, telling you what you have.
And so there's a potential that especially within the six to nine months, a lot of US companies are going to face minor crises when they can't move their European data to the US.
We're going to see similar crisis we think in California. I can talk a little bit about that, not necessarily from the regulators but from the employees. But the rules are new. New sheriff in town that says you can't keep personal information forever. You have to know where you have to have it, and you've got a delete it after reasonable time and you have to delete it when somebody requests you.
And there's some exceptions to that, but the whole landscape is changing.
Bill Tolson: Well, and data minimization is an ongoing process. It's not a one and done. It's not a defensible disposition type of process where you look back at the 100 terabytes worth of data sitting in file shares somewhere and say, what should we get rid of versus. Which I think is an excellent process, and I've done that in the past.
But data minimization, and tell me if you agree, is like a forward looking ongoing thing. What data do we constantly need to be getting rid of? And like you say, and I focus mostly on privacy laws and PII and stuff, but it can be any data. Because you're taking up space, you're potentially affecting employee productivity. Because the more data you have, the longer and harder it is to find very specific things.
On the legal sense, that data, some piece of data might actually turn out to be a smoking gun that should have gotten rid of because it was expired three years ago. All of those kinds of things mean it's basically ongoing data hygiene.
Mark Diamond: Yeah, companies are rediscovering the challenges of managing data. We are seeing some of the privacy teams out there that are coming out with data retention policies. And these data retention policies are policies that say, here's our personal information and here's how long we can and can't keep it.
Couple of things, most organizations already have data retention policies. They're called records retention schedules, data retention policies and records retention schedules. Although a data retention policy may focus exclusively on personal information, they're essentially the same thing. We think it is a bad practice to have a data retention policy that is separate than a records retention schedule.
What we're seeing is organizations are privacy enabling their records retention schedule. They're having in their schedule both legal and regulatory requirements, business value, but also lists which of their data information has personal information associated with that. And they're also putting in the policy of business justification process.
You are allowed to keep personal information longer than a legal or regulatory requirement. Let's say the rules say that this is a record we need to keep four years. For employee data, you can make an argument saying we're going to keep it for six years. But you have to document why you feel that way and what your business justification is.
And by the way, it has to be reasonable. You can't say we're going to have it for 10 or 15 years. By the way, do we call this a data retention policy? Do we call this a records retention schedule? I don't care if you call it a potato. Let's not get hung up on labels. What we're seeing in some cases that the privacy folks are going off on their own little area, now they're coming back on the records.
The other thing is that some of the privacy folks are realizing that managing data, as you say, Bill, is a process. It's not a one and done. It's not, oh, just tell everybody to delete all this stuff. It is a ongoing process, and most cases needs to be automated. That needs to be integrated with business need. And in this case is also with records retention schedule.
So again, this is the, oh my gosh, that the organizations are and will be going through in the next six to nine months, to realize that, hey, we've got to make all this sync together. Which goes back to the comments we had earlier about organizations implementing a full information governance framework.
When we talk about managing data we need to manage it for records retention, we need to manage it for sensitive information, including privacy. We need to manage it for data security classification. We have to have it for business value, for productivity and collaboration. So there's all these factors going into managing data. And if you silo it, if you just do one, you're either going to make it very cumbersome and you may also develop conflicts.
And so it's this big picture view that organizations are beginning to realize, Hey, we need to address this.
Bill Tolson: And like we mentioned a couple of minutes ago, the newer privacy laws are starting to document data minimization as an ongoing requirement. But also on the legal side, there was just in October of this year, there was a case that was settled, basically EyeMed Vision Care versus the department, New York Department of Financial Services.
And it related to a breach in 2020 that exposed consumer information, PII, to an unauthorized individual, obviously a hacker, cyber crook. In this consent agreement, EyeMed agreed to pay the Department of Financial Services a $4.5 million penalty in addition to implementing a bunch of mandatory additional security steps. And those security steps called out their various failures. And there were four main failures, failure to implement and maintain multifactor authentication. We've all run across that. I think it's a great practice. It's not foolproof, but I feel better having it there.
The second one was lack of adequate risk assessments, which I'm sure that Contoural probably does correct, Mark?
Mark Diamond: Yep.
Bill Tolson: Okay. Third one was failure to limit user access privileges, which makes sense. But the fourth one was they had insufficient data disposal policies and procedures were referred to in the consent order as data minimization. One of the mailboxes just collected lots and lots of stuff, and it had PII going back six years.
And the judge said, "No, you didn't need that stuff. You should have gotten rid of it."
So again, if you're curious, it's EyeMed Vision Care case. Just do a search on EyeMed and you'll see this come up. But the consent order is really interesting the way the judge goes into it.
I just did two webinars, one with DLA Piper and then another one with a legal consulting company on the East Coast about data minimization. And we had, obviously, not obviously, but we had a lot of interest from registries and stuff like that. So it's obviously something on people's minds.
Mark, do you have potential clients come in and say, Hey, we're looking for direction around data minimization?
Mark Diamond: All day. The culture of records management has been, we're going to be compliant with our... We're going to basically save everything forever. Oh by the way, in saving everything forever, because most records retention rules declare that you have to keep something for a minimum period, people go, "Oh, good, we're compliant. That's fine."
Well, as I said, there's a new sheriff in town. If you have lots of data all over the place, some of it may be subject to breaches and some of it may run afoul of these privacy loss.
And I would say that I think the breaches, we're seeing it. We've had some major breach cases in the last three or four years, both credit card companies and retailers that have faced major... And that's really gotten companies attention.
I'll say something a little controversial, I don't think we've really seen the shoe drop in the world of privacy. We've seen a few fines out there for privacy. You mentioned that New York Department of Financial Services for breach notifications. We think that most companies haven't really believed that bad things are going to happen to them in the world of privacy.
Many US companies have not. I think Europe is a different story. They're like, well, these privacy laws are really designed to go after Facebook and Google, and they may go after us or may not. But yeah, I know we got a lot of data. No, we haven't quite done this.
I think that's going to change from two aspects, both from a regulatory aspect. I think that the regulators are, and we're beginning to see it, are really going to step up their enforcement saying, listen, you've had enough time. You've known about this stuff. Get this stuff done now. Or they're going to start fining or doing other things.
There's another driver associated with this that I think will possibly have a bigger impact, especially in California.
So in Europe, whenever there is any employment action, a reduction in force or something like that, all these employees are beginning to make all of these personal information requests. "Hey, tell me what personal information you have on me. Can you show it?"
And the company's going, what the heck's going on here?
What's happening is that they're raising these personal subject access requests for their personal information basically to create pain on the company in order to get a larger unemployment settlement or separation agreement or whatever, trying to use it as leverage out there. We're seeing that happen in Europe.
I can easily envision, and I'm not happy about this. In California, employees that go through any type of employment action in California saying, "By the way, have you got all my personal information? Have you deleted it? Can you justify it?"
And it's doable if you're ready for it. But a lot of times we find personal information all over the place. The analogy is what we saw a decade ago when the e-discovery laws expanded, and all of a sudden plaintiffs started using e-discovery as a weapon in litigation. You could have a really, really crappy lawsuit, but if you could force a lot of e-discovery pain, Hey, look for this, look for this. And a lot of expenses associated with that, you could drive a settlement.
I fear that the same thing is going to happen in California and other states for companies that thought, oh, this doesn't really apply to us. Oh yeah, they're going to do this.
A regulator, we're way down on the list for the regulators to come after us.
And that may well be true, but pretty soon employment lawyers representing laid off employees or rift employees or terminated employees are going to start using this as a weapon. And I think we're going to see that in Q1 and Q2 and Q3 of 2023.
Bill Tolson: Well, and that was one of two thoughts I wanted to close out the podcast with, or two discussions. One was you just mentioned sort of, and I term it as DSAR, or data subject access request, which is a right in all the privacy laws. But I see an upcoming DSAR weaponization.
And like you just described, Mark. But also I can see hackers, ransomware people, all kinds of nasty individuals flooding a company with DSARs. And a company has to respond to them, because if they don't and it's a real DSAR, then they start getting into a lot of trouble.
So you can imagine potentially a company that's receiving 2, 3, 4 data subject access requests per quarter, all of a sudden getting a thousand. And I've seen estimates from I think it was IDC and Gartner that said, currently the average cost of responding to a DSAR is $1,400 on the average for all size companies.
But you can imagine a company not prepared for it getting hit with hundreds or thousands. Even worse, what if a ransomware / extortionware attack happens? They copy all of your sensitive PII and then use that PII to flood your system with real DSARs? Or at least from real people.
So I think that's one thing. But the other thing, Mark, and I know I've mentioned this to you before, is this idea of with the privacy laws, they're bringing up this idea of DSARs. And even with a legitimate data subject access request, like you mentioned at the beginning of the podcast, the law basically says you must report and you must find a report on all of that data subject's PII and then delete it if they ask you for it.
But 70, 60, 70, 80% of a corporation's data is sitting on laptops and workstations that are not necessarily visible to IT.
So what if IR gets a DSAR from Bill Tolson saying what data you have on me? Sure, they're going to look at the easy stuff, the enterprise stuff, but what about my laptop that has a marketing spreadsheet in it that has all kinds of PII in it? IT will never find that.
Like they do with litigation hold requests, they might send out a message saying, Hey, go look and see if you find any PII. Those things almost never work. But I'd like to get your opinion on, I turn this as an inflection point for information management, that's this idea that I think companies soon, very soon are going to have to start managing all of the data within the company. Not just the enterprise data sitting in databases or file shares, but everything including what's on your laptop and what's on my laptop because these privacy laws are going to demand it. What do you think about that?
Mark Diamond: I very much agree, and I think that there's a lot of threats out there. I'm not so bought in that we're going to see the massive DSAR. I don't know. I do worry more about the employees because I think the terminated or rift employees that could use this as a weaponization.
But let's turn this a little bit. Let's say, Hey, we have these risks, we have these threats. The good news is you start thinking about this and it gives you a headache, and you're going, oh my God, how am I ever going to be able to do this? Or how is this ever going to work?
The good news is that these are solvable problems with products like Microsoft 364 and Archive 360 and applications. And also with the smart approach, this is very doable. If we have these problems four or five years ago we'd go, Ooh, this is hard.
No, actually we think getting to a better state is doable and something happens too. Many organizations start out, and as you alluded to Bill, they said, can we do data minimization? Or, we got to be records compliant so we need to reduce... We got to be less cost and risk in the case of e-discovery. And those are all great drivers. I love those drivers.
As they go through the journey, what they begin to realize is that these start off more from compliance and risk projects to employee productivity projects. We've got lots of employees that are working from home all over the place.
And the money card, the win is, oh, we're going to implement a system that not only doesn't make the employees mad, we're not just about deleting stuff, we're about finding the important valuable information and making it more accessible. We're going to get a productivity bump out of that.
That is the win behind the sales that gets these programs moving forward. And if you can combine that with the risk reduction, with the better compliance, that's a winning program. That's a winning strategy.
And so what organizations are going through is that they're... We're doing a webinar on the five stages of privacy. It's denial, it's depression. What are the stages you have to go through to do that?
Well, you get the final one. It's acceptance and going, Hey, this actually is not a bad thing. Yeah, I've scary reasons that why we need to do this, but we can make this part of a winning business strategy. And it's doable. It's very doable even in large complex organizations, mid sizes. It's just a question of combining the policies, the right kind of policies with the right processes and the technology and the training.
It's doable and it's winning. And so before we get all depressed about how ugly the world can sometimes get, let's get happy knowing, hey, actually we can do this and we'll get a win out of this too.
Bill Tolson: Yeah, you might see a decent or a lot of value out of having to respond to it that way. I know we're running up against the top of the hour here, Mark. And you mentioned data minimization, and some companies basically saying we want to save everything forever.
Mark Diamond: Well, the employees say that. The companies, the legal and the records and the IT people ring their hands saying, oh my gosh. But the employees are doing that.
Bill Tolson: I remember when General Counsels would say, just keep everything forever. And they don't do that now, by the way. But I remember years ago, me and one of our sales men were in a large company that served North America. And we were meeting with the legal staff, and there was probably 15 or 20 of the legal staff there. Paralegals, attorneys in the GC.
And we were talking about records retention and all kinds of new stuff, archiving. And I asked the GC, I said, "What is your records retention policy now?"
And he very proudly said, "After all kinds of study and all this research and everything, we've decided we're going to keep everything for 34 years."
And I was a little taken back because I knew what the answer should have been, and it wasn't 34 years. And I said, "Well, how'd you come up with 34 years?"
And he started explaining, and a very interesting guy. But while he was doing that I was doing some calculations, and I think they had 10 or 11,000 employees. And looking at the average number of emails and all this other kind of stuff, just pulling stuff off the top of my head. And I was calculating.
And finally he got done, and I said, "Do you understand that after 34 years you're potentially looking at hundreds of petabytes or even exabytes of data." And this was before cloud was real big. The amount of spinning disc you're going to need for this stuff is monumental. And he looked at his entire staff and looked at me and smiled. He says, "I don't care. I'm retiring in two years."
And I thought that was funny as hell, but kind of sad too.
Mark Diamond:Kick the can down the road. Well, the kicking the can down the road strategy, we used to say, "Well, we're saving everything forever. I know that's not good, but I guess we'll live with it."
Well, under the new rules. No, actually, at least for some of your information, that can't do that. So again, we got to be smarter.
Bill Tolson: And the other thing to close out on, Mark, just wanted to get a real quick opinion on it from you. I know in a lot of the privacy laws the right to erasure, the right to be forgotten, those kinds of things. They term it different ways, but it means basically I can ask for my data to be deleted.
And I've talked to European lawyers as well as several of the state senators who've authored privacy bills in the United States. And I've brought up the same question, that is is the right to deletion imply, because none of them say it outright, but does it imply an unrecoverable erasure? Meaning you can't recover the data you just delete, a 15 year old can't recover the data you just deleted with a Norton Rescue desk.
And not surprisingly, most of them had no idea what I was talking about because they have no IT background. But the Europeans, especially a lot of the attorneys said, well, of course it means unrecoverable deletion.
And my question, and there is no direct answer. And I don't know if you know it or not, but do standard information management, records management archiving applications do an unrecoverable deletion, or do they just do a simple computer delete and it's not really gone?
Mark Diamond: Well, I would make the argument you probably wanted unrecoverable deletion, but I'll also make the argument, let's not let perfect be the enemy of good.
Bill Tolson: Yeah, I've heard that from you before.
Mark Diamond: Yeah, let's make some reasonable good faith efforts. Let's put a strategy together. Let's start executing it. Let's be smart about it. Let's show the regulators that we're trying to do the right thing.
One of the challenges right now, there's still a fair amount of non-prescription, especially around the worlds of privacy. What do we do? Well, let's make a decision and do it. And we can always change it later, but I'd rather have you attack a gray area and do something consistently, albeit a little bit wrong, but it was based on reasonable good faith efforts, than waiting for the perfect clarity, which will never happen.
Bill Tolson: Yeah, I know, intent goes a long way with some regulators. So making that attempt at doing it is a good step.
So Mark, I know we're out of time, and this will wrap up this edition of the Archive 360 Podcast. I really want to thank you for a really enjoyable but interesting discussion today on the subjects of information governance, data government's, privacy.
I learned a lot, and I really appreciated it. If anyone listening to the podcast has questions on this topic or others, or would like to talk to a subject matter expert, please send an email mentioning this podcast to email@example.com or you can directly email me at firstname.lastname@example.org. We'll back to you just as soon as possible.
You can also email Mark at Contoural with questions that you want to pose, and his email address is info@Contoural.com. Also check back at the Archive 360 resources page for new podcasts with leading industry expert like Mark Diamond here from Contoural on a whole variety of subjects including data security, data privacy, information management, and archiving, records management, and the list goes on.
But I want to thank everyone for listening today, and Mark especially, I want to thank you for taking the time. It was really a great discussion.
Mark Diamond: My pleasure, and I'll just close out by saying that this feels hard, but it's still listening to this it sounds like a lot, but it's doable. And so we wish you success as you tackle these issues.
Have a question for one of our speakers? Post it here.