Episode 28: Privacy Laws Will Drive Big Changes for Information Governance

Transcript:

Bill Tolson:

Welcome to Archive360's Information Management 360 Podcast. This week's episode is titled, The Next Hurdle For Information Governance, Privacy Laws Will Drive Big Changes. My name is Bill Tolson and I'm the vice president of compliance and eDiscovery at Archive360. With me today is Steve Weissman also known as the Info Gov Guy from Holly Group.

Bill Tolson:

Steve, thanks again for taking the time to join me today.

Steve Weissman:

Thanks for inviting me. Curious to see where this goes.

Bill Tolson:

Yeah, it's going to be a fun podcast and really this idea that we've talked about before of the emerging privacy laws and what that means for companies in general, as well as the information management, information governance profession. I think it's going to be interesting. So I'm looking forward to the discussion.

Bill Tolson:

So let me kick it off. You know, ever since the passage of the EU's GDPR data privacy law several years ago, many companies around the globe have also passed data privacy laws. I think at last count there's like 135 or 140 countries have existing or passed new data privacy laws to protect their citizens from PII, theft, misuse, the selling of PII by data brokers and other things.

Bill Tolson:

So gotten very serious, but still I think to this day, the GDPR is the standard for privacy people to look at because it is so detailed and has massive fines associated with it.

Bill Tolson:

Also in the last several years, the individual US states, after waiting for the feds to get their act together for many years, the states have begun to pass their own data privacy laws to date. There are five states with data privacy laws, California being the first and then Virginia, Colorado, Utah, and Connecticut with a whole bunch more still, probably to happen the rest of this year.

Bill Tolson:

And then probably a bunch, bunch more by next year. Potentially by the elections in 2024, there'll be another 15 to 20 states with their own privacy laws, all slightly different. They have different definitions, different exclusions, different rights, they're all very close, but these differences are going to make it very complex for companies to track this stuff.

Bill Tolson:

So I think people are probably asking, "So why is this topic important to the information governance professionals?" Well, let's get into our discussion with Steve and find out. Just to kind of set this up, Steve, and I know I've talked to you about this before, I've spoken with several privacy and security subject matter experts on this podcast, as well as several politicians, senator, state representatives who have authored state privacy bills.

Bill Tolson:

It's obvious to me that these new privacy laws that will emerge over the next two years will change how corporate data will need to be managed, secured, made searchable and disposed of. The corporate records manager's role has always been to capture and manage primarily only those documents that are considered records and by a regulatory compliance data retention laws need to be kept.

Bill Tolson:

That usually amounts to five to 10% of all data in a company. Does that sound right to you, Steve?

Steve Weissman:

Yeah, it does. I wouldn't bet a lot of money on if that's the actual percentage. Certainly in terms of orders of magnitude, it is really just, let's mix the metaphors, it's the tip of the information iceberg. There's no question about that.

Steve Weissman:

But what's still surprising to me and somewhat concerning is that even though, especially from Europe, the privacy drum has been banged so loudly. It's not really being heard in the way, perhaps you might hope. Here in the US. I think the attitude here is, and not necessarily for records people per se, but overall it's like, "Well, we'll wait for somebody to get sued and hopefully it's not us. And then maybe we'll do something."

Bill Tolson:

Yeah. Yeah. I mean the GDPR, the first couple of years wasn't very actively enforced, but in 2021, they really picked up enforcement. And I think for the year, 2021, there was a billion euros worth of fines assessed. So they started finally to pick it up. And I think California will probably follow the same general idea of waiting a year to get real active in it.

Bill Tolson:

But in my mind, in my consulting days, I was in lots and lots of businesses, and you found that there was a minority of the data being managed mainly for regulatory compliance. But the rest of the working data, which is actually controlled by individual employees with no real visibility by IT or others, I think at least American culture, North American culture was, we're going to let the employees worry about that and they can decide when they delete it, what they should do with it, how long to keep it, if ever.

Bill Tolson:

They really threw the responsibility off to the individual employees. Individual employees aren't records managers so they didn't do anything. I don't remember doing anything with all the data I held as well. But that's, I think, one of the issues is what about that data when it comes to privacy laws?

Bill Tolson:

And people might be asking, "Well, what the heck does that have to do with privacy laws?" Well, a lot of this data, this working data and spreadsheets and PowerPoints and all kinds of neat stuff, some of it could have what the state laws are highlighting as personal attributes.

Bill Tolson:

You know, PII, email addresses, descriptions, addresses, these kinds of things that when a data subject, a citizen, say me, I send an email to Archive360 saying, "I want to know what kind of data you have on me." They're supposed to report it. They have 15 days to say, "Well, we didn't know who you are. We don't have any data on you." Or, "Here's the stuff we have."

Bill Tolson:

And usually a company is going to go to their IT group and say, "Run a report." Well, what about all of that data sitting on employees' laptops and workstations and cloud accounts and all that kind of stuff? That I think is the crux of at least my suggested problem, Steve, what do you think?

Steve Weissman:

I think that encapsulates it very well. My issue with all of this is that the only real motivator is the fact that these privacy laws now exist. And the problem with that is, I'll put this in air quotes because I don't want to paint the world with a single brush, but "nobody cares". And even when you look at the fines, when you aggregate the number, the way you did, it's a very large number and it ought capture people's attention.

Steve Weissman:

And what I mean by people is not the folks pulling information off their hard drive or even their office's shared drive. But the ones further up the chain who ought to know better. For big companies, the fines aren't big enough in my opinion, to be more than a cost of doing business.

Steve Weissman:

If you look at it on a per individual basis. Yeah, it costs, "Okay. We can live with that." So as things roll out here in the US, a big part of me would like to see these laws not only have teeth, but big, scary teeth. If we really want to be serious about it, then we have to make it actually hurt when there's an organization that's playing fast and loose with personal information.

Steve Weissman:

Now let me qualify that a little bit, because that makes it sound so nefarious. Like organizations are setting out to suck all the personal information they can get out of me and then do something with it that, a "Ha, ha, ha," you know?

Bill Tolson:

Yeah.

Steve Weissman:

In a lot of cases, what I see... Here's one of my favorite examples. I was getting a briefing with a vendor and they were running a demo and it was just our group. So it's not a big public thing. It wasn't a webinar at a conference or anything like that, but they showed a sample document and it happened to be an actual document of the sales rep that was doing the demo.

Steve Weissman:

I forget what it was. It was a 1099 or it was a W2 or something. And there it was in all its glory with his name and his address, and his social security number.

Bill Tolson:

Oh, wow.

Steve Weissman:

What had happened was, in building the demo, they asked for a sample document just to test it and make sure it worked. So the guy said, "Here, use mine," and it stuck. They never swapped it out, they forgot. I don't really know. So I think it's important to point out that in a lot of cases, there's no evil intent. But it still happens and it's still problematic. And in this day and age, there are really good tools available.

Steve Weissman:

Not only to help prevent it from happening, but to fix it after the fact. So what's the motivator for fixing it? Maybe you get sued. How much does it hurt? Is it worth it? If it's going to cost you, I don't know, I'm making up numbers, 100 grand because you're not Google or 500 grand, but it's going to cost you 1,500,000 to put in a system. Again, I'm making up numbers, but it becomes a math equation I guess is my point.

Bill Tolson:

Well, you need to do an ROI measurement, and part of the ROI is negative net to brand equity, all kinds of things. But in the various privacy laws, including ones in the state, I mean the fines vary all the way from in California it's $2,500. But it's $2,500 per instance.

Bill Tolson:

So if you suffer a breach of PII and the PII was not encrypted, and there was 10,000 items or data subjects within the breached data, then it's 10,000 times 2,500. That's where, if you're looking at individual types of things and you touched on it a little bit right there, some of the laws, not many of them yet, but some of the laws have what's known as private right of action. Which means the data subject, me, can sue the company separately.

Bill Tolson:

Now, if many of the state bills, they set up enforcement with the state attorney general so individuals can't sue. The attorney general has to decide whether they're going to place fines and all that kind of stuff. But the fines do vary. And Colorado is the state I'm in, the basic fine is $25,000 per instance. That can get costly as well.

Bill Tolson:

But I think what can happen, and they've started to notice this in the EU over the last couple of years is with this idea of the right for an individual to know what data a company's holding on them, how it's being used and eventually the right to have the company delete it all. The right to erasure.

Bill Tolson:

And the problem, and I've talked to European attorneys about this, the problem is if IT in your company isn't managing all of the data, the stuff on my laptop, on workstations and all that other kind of stuff, then how can they search and find all instances of Bill Tolson's PII and delete it and say, "Yeah, we did it."? When there could be stuff on all of that other machinery and computers.

Bill Tolson:

I think that's what I was posing as a potential problem. Well, not even a potential problem. It's a real problem.

Steve Weissman:

It is a real problem. And in fact, as you were saying that I've just written a note to myself with exclamation points and lots of pretty colors, right there is the intersection between all the privacy stuff in the microcosm, and information governance in general. Because if you're not managing information in general, you can't know.

Bill Tolson:

No.

Steve Weissman:

And even there, I haven't read every word of every law enacted and pending. I'm curious to know how they're written, too. Is it you make reasonable efforts, whatever that means? Or, all the information you can find when you're responding to a DSAR? Or is it every mention, everywhere, from any time? And if it's the latter, then yeah you have a problem because you don't know.

Steve Weissman:

And you know, that's true even if we start from a different angle and come at it from the perspective of records managers. They have the same problem because there are multiple copies of "records" very frequently in most organizations. Even if they're just review copies or drafts.

Steve Weissman:

And so that's a whole separate, but connected, can of worms. Which is the real one? And do you have to keep the drafts? And do you have a policy that says it all has to live in this repository and not in your desk drawer? So all this stuff, there are all these moving parts that really to be effective to a certain point, organizations have to address kind of all at once. Even though you can't do all of it all at once.

Bill Tolson:

Yeah. And then you brought up a good question. What do the laws say? And it's really funny. A lot of them, at least in the states, copy each other. They aren't that different, but they do make subtle changes that change the whole thing. But on the security side, they'll say, "Company must use reasonable security practices to protect the PII," which is a ridiculous thing to say. But they all say it.

Bill Tolson:

Almost exactly the same sentence when they're doing it, define what's reasonable. A first year attorney can fight that one pretty easily. But when it comes down to how the data is to be acted on, like you say, number one, what data did you have on me?

Bill Tolson:

They don't parse it. They say, "Well, you have to report back on what data, what PII you have." Not what data is easily accessible or anything like that. It's what data? And then for the right to deletion is, all PII for that given data subject must be deleted.

Bill Tolson:

Now the question, and again, it doesn't parse it. It doesn't say, "Make your best effort," or anything like that. They all say, "Must be deleted". Now, one question that I have never gotten an answer to and I've asked experts all around the world. First question is, "What about that PII on that data subject that's sitting on a backup tape?"

Steve Weissman:

Yeah, no kidding. Because if you're going to delete all of it, you have to actually delete all of it.

Bill Tolson:

And I talk to GDPR attorneys in the EU, and they all sit there and they're quiet for a minute and they'll go, "We don't know. But the intent is all data must be deleted. All PII must be deleted." So what about, there has not been a case yet that's gone into the EU courts for that backup question. There hasn't been one in the United States as well.

Bill Tolson:

But the second question which is as interesting is, when they say you must delete the PII, is that irrevocable delete? Because standard computer deletes our soft deletes.

Steve Weissman:

Right. They just remove the pointer to the data, not the data.

Bill Tolson:

Exactly. And most of the attorneys I've talked to have all said, "Even in the GDPR, they didn't necessarily say it, but they imply it, that data must be irretrievable." So if you delete it must be completely gone and cannot be brought back with Norton or something like that.

Bill Tolson:

But again, there hasn't been yet a case on that. But I think the backup question is really interesting. But the whole idea of, and we've already touched on this, but again, the whole idea of, well if the data subjects have these rights, then probably that means that information management, information governance professionals are going to have to be involved in helping companies manage all of the data.

Bill Tolson:

We've talked about this before. That's going to be a huge cultural shock, I think, to employees.

Steve Weissman:

Oh, no question about it. It is already happening. In fact, see if I can put a rough number on it. I'd say two-thirds are the recent engagements that I've been involved with because I am still in my consulting days, have been pointed in that direction. So it's like, "I've been given the responsibility to start making sense of this, and to try in a certain sense to unify all the information silos that we have. So we can figure out what information we have, and kind of set the stage for the rest of the stuff to come."

Steve Weissman:

What's fascinating to me. And it's a little bit more of the point I touched on just a bit ago, these clients are coming to me from different directions. Some of them are the legal group within an organization. Certainly there are records people involved. Some come by way of IT.

Steve Weissman:

And they're all kind of sniffing around the same issues with their different perspectives. So a big part of the challenge here is often there are these multiple initiatives taking place from all of these different directions within a single organization. And they don't even know about each other's existence until at some point, and often it's me and my team, as we do our diligence, we say, "Hey, do you know that you have an IG group set up over there?"

Steve Weissman:

"Really? I didn't know that. We never heard anything from them."

Steve Weissman:

So it is beginning to happen. There is a small, but growing recognition across, I'm waving my hand you can't see that... A voice made for radio. There is a growing recognition that this is a much more expansive notion than anybody first thought.

Steve Weissman:

And the things that they discovered going on that during the research I'd just been told, "Oh no, that doesn't happen."

Steve Weissman:

"Do you have SharePoint sites that you don't know about?" Which is kind of a silly question to ask an IT guy because it's his job to know about everything. So of course, the answer's always, "No, we don't have any of those."

Steve Weissman:

"But would you be surprised to learn..."

Steve Weissman:

"Really? They're not supposed to do that."

Steve Weissman:

And in one case they have, I forget how many dozens I think, of SharePoint instances that all have the name "test" in one variation or another. So even like, "What's in it?"

Steve Weissman:

"I don't know."

Bill Tolson:

Well, I have a similar experience. In my consulting days, I was at a very large company and one of the first things I asked them was, "How many servers, how many data repositories, how many SharePoint?" All that kind of stuff. And it took them about two weeks to finally get back to me. And they said, "Well, we have this many SharePoint server or SharePoint instances and this many repositories. And we believe we have like 857 additional servers being used for various things."

Bill Tolson:

And I said, "Interesting." I said, "Have you mapped all that out? You're sure about that number?" And they said, "Oh yeah, no. We're sure about it." For some reason I didn't necessarily believe them. So after another couple of weeks I had tracked down and determined they had 5,000 servers instead of 857. That they had no idea what they were even doing, if they were being backed up or anything.

Bill Tolson:

So this is going to be a monumental challenge for companies and for information governance people, because they're going to be pulled into it. In my days, I think I only ran across two companies that actually was managing all of the data, including data on laptops and workstations and all that kind of stuff. And they do it with syncing capabilities and things like that.

Bill Tolson:

One was a big distiller and one was one of the big banks and basically they controlled how data was saved and all kinds of stuff. So those were the only two. And when I have brought the subject up over the years, I get these looks from many people like, "This guy's a nuts, show him the front door," Because physically, technically you can't do that. But even moreso culturally, "You're not going to tell me what to do with my data. It's mine. And it's for me to decide."

Bill Tolson:

I think that's technically, I think it obviously it could be done. I think in my mind, it's going to be the pushback from old hand employees that have always had control of the data, and they go back and reference it a lot and all those kinds of things to look at it and say, "Well, gee, this data might disappear one day and I might not know why."

Steve Weissman:

Yeah. And it's funny, once again, you articulated what I was writing down. The notion of the culture change. I mean, we started with sort of the cut and dry, where are we with privacy regulation, blah, blah, blah. And we quickly have launched ourselves into the broader universe of people.

Bill Tolson:

Yeah.

Steve Weissman:

People are a pain, "Because this is how things have always been done. I've been here 40 years and da, da, da." And you're exactly right. I'll give you another example, more true stories. We were helping do the diligence, and actually the client found this before we did. And it's one of the reasons that we were engaged, because it's like, "There's got to be more of this."

Steve Weissman:

So there was a senior executive who, for whatever reason, was having really hard time getting into his email while he was on the road. They were using Outlook. On his own, he took his PST file and he put it in Dropbox so he could get to it from wherever he was and nobody knew it. And he felt justified because "I'm important, and I need it." As you say, "My email, and so I just went ahead and did this."

Steve Weissman:

So like nature, people will find a way. And again, we're into a much soupier mix because the way that you attack stuff like that, it's a whole combination of things, including policies and procedures and the enforcement thereof. Because as I like to say, "Having a good cop is completely meaningless unless you have a bad cop."

Steve Weissman:

So that's a big part of it. And it has to be uniform across the organization, and there has to be training and education in an ongoing way. And for me, it's like, you got to make this part of the onboarding process with new hires. You're not going to do all this in three months.

Steve Weissman:

Eventually as the old school retires or leaves, and the percentage of the staff grows in terms of who is newer, they're just going to come into the organization and be indoctrinated right from the start that this is how we manage our information. It is a valuable asset to this organization. And it becomes the same thing as, "Welcome. Here's your badge, here's your key. There's the men's room, and by the way, you can't put your PST file on Dropbox."

Bill Tolson:

Yeah. Data has a lot of value, but it also has a lot of risk, especially in now this privacy stuff, but also even in eDiscovery. That PST thing you talked about, how would a corporate attorney be able to tell the judge, "Yeah, we did a complete search for eDiscovery," and later found out this guy had a PST in some place that no one ever knew. And he was one of the custodians that was targeted. That's a violation.

Bill Tolson:

Then think exactly the same thing, even with something as simple as PSTs, what kind of personal data could be on there? So I absolutely agree with you and this idea, and the question is, I think the overriding question is, it's not, "Are we going to have to do this?" It's, "How are we going to do it?"

Bill Tolson:

And we get into the culture problems and stuff like that. But as these laws get passed, we are not going to have five years, 10 years to change people's culture. It's going to have to happen a lot quicker. So I was thinking about that and eventually you want to control all of the information. That's the bottom line, that's where we're going. And does that mean applying retention disposition policies to it? And whether it's on your laptop or whatever it happens to be, I think that's where we need to get to because we need to know what's in all of that information for the various regulatory requirements.

Bill Tolson:

But in the meantime, can we do something as simple as, "Well gee, anytime you have your laptop and anytime you sync up to the network to get your email or something like that, it syncs any new data centrally." So at least we can index the stuff and say, "Yeah, here's some PII on Bill Tolson." And not try to manage the data yet, but at least know what's there so that if some troublemaker is constantly bugging a company about, "Okay, what information you have on me this month? And I want you to delete it and all this other stuff."

Bill Tolson:

At least you can consolidate all of the data to be able to search on it and index it and say, "Yeah, we know what data. We have access to our central systems. We have data from all of our edge devices. So at least we can respond to the DSAR."

Steve Weissman:

Right. And I'm smiling here too because holy cow, shades of Lotus Notes in the 1990s. That was its model. Now the infrastructure, it was great. At first I think it was great, and it was a great idea and it worked pretty well. The issues I always had with it when it didn't work pretty well were infrastructural.

Steve Weissman:

Today, most of that has gone away. And what I mean by infrastructural, as much as anything, is bandwidth. There are lots of different ways to architect that. I happen to like that, but the technology is within reach that if you wanted to keep it all centrally somewhere, and now we're back to privacy and the trans-border data flow stuff, you could. And it would still work.

Steve Weissman:

Which reminds me of something you mentioned a bit ago about how, "Well, this is what IG people are going to have to wrestle with," which is true. But I'd modify that slightly to say, "This is where the IG people are going to come from as organizations realize that they have to deal with this on all these different levels." They're going to need a lightning rod. They're going to need some single point of coordination, that in my mind, is the IG person. A fairly senior person with a team eventually, to keep track of all these moving parts.

Steve Weissman:

Because right now, generally speaking, I don't think most organizations have an IG people. And they're only just beginning to recognize that there's a thing called information governance, which they may not even call it that, that requires them to start looking around them and say, "Holy cow, we have all these SharePoint sites, and especially since COVID when working from home is no longer a weird thing to do."

Steve Weissman:

Now, you talk about a distributed architecture and what do you do? And sorry, on my soapbox a little bit.

Bill Tolson:

I love it.

Steve Weissman:

But think about what's happening here and one of my close colleagues, getting certain engagements that require us to have separate machines to use that's the property of the client. Now in a lot of cases as consultants, we don't keep the data here because they set us up through a Citrix something or the equivalent so we can work on a virtual machine at their place.

Steve Weissman:

But increasingly it's, "No, you have to have a separate machine." And it's always been back to your point about, "This is mine". Memail, I used to call it instead of email. Never were we ever supposed to be commingling our personal information and our company information on the same machine.

Steve Weissman:

Because if it came to it, and there was a lawsuit, they needed the data on your machine. You don't have your machine anymore. And nobody cares that your banking information is on there and you're Quicken and your life... all that stuff.

Steve Weissman:

And I look at myself as the typical test case because I'm guilty and have been over the years, of violating all of it, just for convenience.

Bill Tolson:

Sure.

Steve Weissman:

I don't want to be in the cloud. And yet I got in the cloud because I got a new phone and I wanted to sync my calendar from my desktop to the phone. And the only way to do that was to put it all in Google Calendar, because they both talk to that, but not each other. And I didn't even realize I was in the cloud. I was just trying to sync my Calendar.

Bill Tolson:

The thing you just talked about with mixing your emails and eDiscovery, when I would go out and do eDiscovery consulting, we would tell employees of the companies that we are working in, "You should never mix your personal and your business emails, even if they're like a Yahoo and a Archive360, because if you sent business stuff home to your personal email account, so you could work on it over the weekend or something like that. And that comes out in a lawsuit, then all of a sudden your personal accounts are open to the opposing council. And they're not very nice. So all of a sudden they're tiptoeing through all of your personal emails and attachments and everything because you mixed the two."

Steve Weissman:

Right. And what else might there be?

Bill Tolson:

Exactly. And you mention in distributed architecture or distributed kind of use model because of COVID and everything, and I don't think we're going to walk away from that. That also obviously increases the risk for data theft and ransomware and all kinds of other things. So data security becomes a much more costly, and much more risky problem if it's not being all managed.

Steve Weissman:

Right. It is sometimes very hard to separate again, "security from privacy," because the steps that you would take to help boost both, are overlapped and equally critical. Part of the difference is of course, you talk about security, you're also talking about it, is there a padlock? Does the door lock where the servers are? Is often not the case. You wouldn't be surprised to learn, but listeners might. And it's just so simple.

Steve Weissman:

And then it brings you into things like, what if there's an issue and business continuity and disaster recovery like, "Oh, the records room? It's in the basement." It's like, "Well, that's great, but you're in South Florida and you get hurricanes in floods and things." Or, what if the sprinkler system breaks? You can't have the boxes in the basement.

Bill Tolson:

No.

Steve Weissman:

And I know it sounds ridiculous. And I know it seems like we're a long way away from where we started with the privacy, but hopefully folks can see the connective tissue. And how it really is one large mess.

Steve Weissman:

The metaphor that comes to my head, it's like the world's largest ball of string. Except you've got multiple threads of strings.

Bill Tolson:

Yeah. It's good for you to bring that original topic back up because that is the whole privacy question, is what's going to drive this need going forward. That companies, organizations are going to need to manage all of their data. And that's a massive task for those who haven't thought about it. Or haven't gotten too far down the line.

Steve Weissman:

We, over the years have developed a reference model, which I mentioned not as a commercial. I won't even tell you the name. Somebody wants to, they can find it on our website. To try to simplify it a little bit, we've sort of drawn overlapping circles in four directions. One of which is organizational change, which we talked about right at the top, because we got to get people on board with it's not your data, and changing some habits. Even though it doesn't necessarily mean changing the way they work. They have to think about it a little differently.

Steve Weissman:

We have a ring that says process change, because sometimes during the course of this, if you're really doing the investigations properly, you're going to find processes that are inefficient. And you're going to find stubs that don't lead anywhere, that are there because it was that way 20 years ago. I do all this and I print a report out and I send it to Bill. What does he do with it? I don't know. I just sent it to him. Why? Because he told me to.

Steve Weissman:

Then you talk to Bill. He says, "You get this thing from Steve?"

Steve Weissman:

"Yeah."

Steve Weissman:

"What do you do with it?"

Steve Weissman:

"I throw it out. I don't need it. I never asked for it."

Bill Tolson:

"First, Steve who? And then I think I threw it away."

Steve Weissman:

Yeah. So the process piece can be important. Generally, you find stuff. There's a collaboration piece, so earlier on when I mentioned drafts of things, a legal brief, or a marketing, whatever, helping people not only work better through the process, but work better together is a piece of it.

Steve Weissman:

Teams right now is a nightmare for organizations because the back end is SharePoint and half of them don't realize it. And the stuff in the Chat, is that a record, at what point does it become a record? I have clients that absolutely forbid its use, because they don't know what to do with it.

Bill Tolson:

Exactly.

Steve Weissman:

And the last piece of course, is the technology piece. Because at the end of the day, you're going to need technology, technologies really, plural, to work in sync. And you're going to need to break down the information silos so that they can begin to behave as if it was all in one big box.

Steve Weissman:

Back to the original point of, we don't even know what we have, to how are we going to find it?

Bill Tolson:

Exactly. And how can we confidently say we reacted the way the law says, when you know you didn't? You couldn't have? Physically couldn't have?

Steve Weissman:

That's right.

Bill Tolson:

Unless you're a two-person consulting organization. Any other thing, it becomes so complex that it becomes impossible.

Steve Weissman:

Yeah. I heard a story. I accepted it as being true, but it could be an urban myth. A few years ago, somebody really put the question to Google, "You have all my stuff, where is it?" And they said, "Honest," again, caveat I'm accepting this is true, I don't really know. But they said, "You know, the truth of the matter is we probably couldn't, because the fragments would be spread across so many different servers. I mean, imagine how big Google's infrastructure is. I don't think we could find it all." And I thought, "Huh."

Bill Tolson:

And there's so much of it. And this is a true story because it happened to me. I, for many years, I had an Android phone and I switched to iPhone for all kinds of reasons. But I went into my Google account and after searching around for a long, long, long period of time, I found where the system had been tracking me through my phone, everywhere I went, for nine years. All the way down to what streets I had driven on, what locations I had stopped at, where I had been in Hawaii on vacation and all of this stuff.

Bill Tolson:

And I'm sitting there going, "Oh my God." So I wanted to delete it. At the time, the only way you could delete it through the Google setup was one day's worth at a time. And this was for nine years.

Steve Weissman:

Oh, my God. But you know, when Mary had a little lamb, that's how they know to follow her everywhere she went.

Bill Tolson:

It was darn scary. But one of the things I was going to say is, for information governance professionals, they're going to be involved obviously with a lot more data. And that data is going to be treated differently because of the risk of it having PII and stuff. And so there's going to be a lot more security around that data too. Whether it's file encryption or even field level encryption, data masking, redaction. So as information governance people are going to be working with this huge and growing amount of data, they're also going to be running into these data security challenges as well.

Steve Weissman:

Yeah. What I always tell my clients and anybody who's willing to put 20 people together in a room, you don't have to be expert in all of it, but you have to be conversant.

Bill Tolson:

Yes.

Steve Weissman:

And you have to know enough about it, so you know who to ask and who to have on the steering committee and all that kind of stuff.

Bill Tolson:

And be part of the steering committee or be part of the committee.

Steve Weissman:

Oh, yeah. Absolutely. If you think about the oddball metaphor of multiple strings rolled up together and on the side of a farm in Uruguay somewhere?

Bill Tolson:

Or in a salt mine somewhere.

Steve Weissman:

Yes. At some point somebody has to take control over one end of all those strings, and get the right people to help untangle them, so that they can be addressed. How is that for tortured?

Steve Weissman:

For me, that's the role of an information governance person or team. The challenge then becomes what do you do and in what order? Which groups within the organization? Because maybe you're in a big place. Again, you can't do them all, all at once. But we have client right now where they have a lot of groups, they've done a lot of good work themselves already just by the way. But there's one group that's particularly hot to trot.

Steve Weissman:

So it's like, "Cool, we'll start there." And we'll get some good return of the time and money invested. And then we'll show it to the other groups, who hopefully will say, "Oh, that's cool. Yeah. And we know we need to do something. Yeah, we'll be next."

Steve Weissman:

So as a consultant, a lot of the time we spend is figuring out the roadmap. The steps, when you make a list, aren't really that complicated. Here's a commercial, you can get it for free off Holly Group website. It's 5 Steps To Doing Information Right. There's no great surprises there, but the devils in the details.

Steve Weissman:

And it can be very challenging over a long period of time. So how you stage it out is really important because organizations... Okay, let's be honest. Bosses, sometimes get impatient.

Bill Tolson:

Oh no.

Steve Weissman:

I don't want to burst a bubble.

Bill Tolson:

Say it ain't so.

Steve Weissman:

So that's not really a technical issue. My mind goes in a million directions. Let's go back to the privacy thing. Many times the boss will read something or maybe he's just been in Europe or who knows? And he says, "This is a thing, isn't it?" And the staff says, "Yeah."

Steve Weissman:

"Are we doing anything about it?"

Steve Weissman:

"Yeah, kind of."

Steve Weissman:

"What does that mean?" And then there's an initiative. And then very quickly they realize it's not as simple as isolating privacy, because we're running into all these other things. And then it's, "Well, we have a lot of stuff on records. That's pretty straightforward." And never say easy, but that's straightforward.

Steve Weissman:

You've got financial records. You've got HR records. Those are well defined and well kept. And then back to your original question, Bill, what else do we have? I don't know.

Bill Tolson:

Yeah, that's it? No one knows.

Steve Weissman:

So oftentimes that's where we get involved. For a lot of reasons, including people already have jobs, they don't have time for this. Plus there's a certain removal from the scene that gives us a broader perspective, and let everybody hate the consultant. You know, that's fine.

Bill Tolson:

Sure. That's what you get paid for.

Steve Weissman:

But however it happens, again to your point, it has to happen. So maybe it's a larger company and they do have the wherewithal to do this. Or they realize that records people already have most of these skills. And so they say, "Here, you guys do it." I'd like to see more of that frankly, because they do have the skills.

Bill Tolson:

Absolutely. That's a great point. And I think quickly, technology is going to start helping out more. I mean with AI and machine learning, a lot of this stuff is going to be automated, with auto categorization and all kinds of neat things, but there's still that next kind of thing.

Bill Tolson:

And that's for companies, organizations, at least in the states, to really come to terms to the fact that they're going to have to manage everything. Not because it's the right thing to do, which it could be using data analytics, you could be able to get interesting information out of that.

Bill Tolson:

But legally speaking, regulatorily speaking, you're going to have to do it. And once one or two case precedents comes down that says, "This company got destroyed because they couldn't react to a California inquiry." It's like you say, they're going to put their head down and say, "Well, we won't be the first one to get smashed by this thing. So let's see what happens."

Bill Tolson:

But eventually, like they did with GDPR and the slow takeoff, but now it's really accelerated, it's going to have to happen. So companies' C-level coming to terms with the fact that this isn't a choice, you're going to have to do it to lower your overall risk and you'll get benefits out of it. I mean even benefits for eDiscovery, but it's like I said, and like you said, I think it's going to be, well it will be a major culture shock, I think for lots of people.

Bill Tolson:

So you need to start setting the stage now with people, with employees and so forth. But to get to the point where you are not going to be sued by a data subject or even by a state attorney general, you're going to have to be showing that you're making the moves to get there as quickly as possible. Because especially the state privacy laws, they're like, "Gee, we just passed it on June 1st, 2022. And it's going to take effect the end of the year."

Bill Tolson:

Meaning you have to be following the law by the end of the year or some of them are a year out, but they're not going to wait around and give you exemptions and stuff. It's going to be all hands on deck.

Steve Weissman:

You know, ironically, the good news is there's really nothing better to help shock a culture change than new laws because the answer is, "Hey, don't blame me. We have to. Because the law says so." It's like with a sibling, right? "Yeah, but dad says we have to, if we want to get ice cream."

Steve Weissman:

"All right." So to say there's this new law and we have to do this. Even if that's possibly the wrong reason, it's a great reason because it's unquestionable.

Bill Tolson:

Black and white.

Steve Weissman:

Yeah. Right. So in some ways that's a good thing. Now I'd prefer just the kind of human I try to be, that we do it for more the right reason, which is to take care of our citizens, da, da, da. I think that was for me the most impressive thing about GDPR. It's taken the focus off the information and the document, and put it on the person. I think that's fascinating.

Bill Tolson:

And they centered it on in privacy in general. And GDPR makes a statement in the GDPR that privacy is a human right, that's the law.

Steve Weissman:

Yeah. And a lot of people don't realize this, that it does apply in the US.

Bill Tolson:

Exactly.

Steve Weissman:

If nothing else, if there's a EU citizen doing stuff in the US, guess what? It qualifies. Even though the transaction was US-based with a US-based company, blah, blah, blah, blah, it's about the person. And I'm like as a humanist or whatever label you want to put on me, I think that's amazing. And I don't know why it's so shocking-

Bill Tolson:

Well you say people don't realize this, and you're absolutely right. All of the privacy laws, including the individual US state privacy laws are global in nature. I'm sitting here in Colorado and some company in Australia might have collected my data either via consent from me or without me knowing about it. They're still subject to the Colorado privacy law. Just like the EU citizens are protected and the Utah citizens are, and all that very state laws.

Bill Tolson:

And nobody realizes these things are global. That's a complicating factor because your pool of potential data subjects is worldwide. And the expense on that is going to be massive. That I think the expense for just managing data that companies are experiencing is going to grow by factors.

Bill Tolson:

I saw one study and you mentioned DSARs, Data Subject Access Requests. I write about it a lot. And I think you're going to find organizations and individuals who use filling out DSARs as an offensive weapon, just to screw with a company, number one.

Steve Weissman:

Yeah.

Bill Tolson:

But I saw data from two different market research firms that basically said, "Right now, the average company in the United States or the United States and the EU is receiving approximately 147 Data Subject Access Requests per month, at a cost of $1,400 each, to respond to them because they got to go out and look all the various repositories and fill out reports and stuff. Right now, that's an average monthly cost of $200,000 just because of responding to DSARs.

Bill Tolson:

Can you imagine with a huge growth in these privacy laws, including all the states? That 147 is going to be 2,000, 3000. And you're going to be looking at millions of dollars per month, defensively responding to DSAR.

Steve Weissman:

And that's the math equation I inarticulately mentioned before, that you translated so well. At a certain point, if the fines are not hefty enough, it's a cost of doing business because it's cheaper than-

Bill Tolson:

Exactly.

Steve Weissman:

I'll just pay the fine. It's not easy. It's not even straightforward, but it is happening.

Bill Tolson:

It is happening. And I think technology is going to get better at it. I've talked to companies that have DSAR response applications and using all kinds of interesting technology. And I think that's going to be built into a lot of things.

Bill Tolson:

But like you've said, like I've said, there are other costs involved in this stuff besides just a fine. But the fines can get hefty as well. But Steve, we're reaching the end here. So this has been a fantastic conversation.

Bill Tolson:

So for all the listeners, we'll wrap this edition up of the Archive360 Information Management 360 Podcast. I really want to thank Steve for a really fun and insightful conversation.

Steve Weissman:

And thank you for having me. Yeah, we should do this again.

Bill Tolson:

I would love to. You brought up a lot of things I hadn't thought of, so I really appreciate that. But again, to the listeners, if anyone has questions on this topic or would like to talk to a subject matter expert, please send an email mentioning this specific podcast to info, I-N-F-O @ archive360.com or you can send it to my email address, @bill.tolson, T-O-L-S-O-N @archive360.com. And we'll get back to you as soon as possible.

Bill Tolson:

Also you can send questions or inquiries to Steve Weissman, Steve, S-T-E-V-E @hollygroup, H-O-L-L-Y-G-R-O-U-P .com. Also check back on the Archive360 resource page for new podcasts with leading industry experts like Steve, on really some diverse subjects that I think you'll find interesting.

Bill Tolson:

We talk about data security, data privacy, information management and governance, records management, compliance, eDiscovery, all kinds of interesting things.

Bill Tolson:

So with that Steve, again, fantastic. Really enjoyed it and thanks for taking the time.

Steve Weissman:

It was great. Thank you, Bill.