Episode 9: Why In-Place Information Management is not a Complete Solution

Transcript:

Bill Tolson:

Welcome to the Information Management 360 Podcast. This week's episode is titled Why in-Place Information Management is not a Complete Solution. My name is Bill Tolson and I'm the VP of compliance and e-discovery at Archive360. And we're happy again to have with us today, Jay Cohen, senior advisor at the Compliance Systems Legal Group, looking forward to this discussion Jay. Can you briefly describe what your organization does?

Jay Cohen:

Sure, and thanks again Bill, for giving us this opportunity. Compliance Systems Legal Group is a boutique firm that focuses exclusively on helping companies address compliance and corporate governance obligations and issues. And among the subjects that we tackle is the overall area of information management, requirements around data privacy and security and records retention and production that companies are obligated to address.

Bill Tolson:

Great. Everybody, now Jay's a very well known voice in the information governance industry, advocating the strategy and need for effective information management. And Jay and I have talked before on podcasts having to do with defensible disposition. So for the people listening that have an interest in a greater in-depth discussion on defensible disposition, you can go to the Archive360 resources page and download and listen to the podcast that Jay and I had recorded around defensible disposition. So with that in mind, I mentioned with the title in-place information management is not a complete solution. Let me kind of set the stage here. Every year, companies face the annual prospect of adding terabytes and terabytes of new storage resources to their numerous, their overloaded and expensive enterprise storage repositories to keep up with the constantly growing storage requirements. I haven't run across too many storage admins or IT people that have told me that their storage budgets are shrinking by any means, it's a constantly growing issue of what to do with all of the information that employees in the business is collecting and how they're storing it and how they're managing it, if they're managing it, those kinds of things.

Bill Tolson:

These storage repositories include application specific repositories, on premises email archives, department share drives, individual employee home drives for those of you who still have those employee cloud accounts, like OneDrive that come with your Office 365 subscription, SharePoint systems, by the way, as well as decommissioned as SharePoint resources, and this is becoming a really interesting issue for companies in that I'm getting told that they might have two, three, 400 different SharePoint systems, but might have at least that many that have been decommissioned, but don't know what to do with the data. So obviously the overall kind of trends that I don't think anybody would argue about is the need for storage resources in corporations continues to grow. To help control the costs of the constantly expanding enterprise storage resources in the past, companies previously installed standalone archives for many of the applications to manage both structured and unstructured, inactive or semi-active data to ease data storage management costs.

Bill Tolson:

Many of us have worked in many, many, many companies where you had email archives, you had file system archives separately, you had ECM systems, you had CRM systems that were generating data. In many companies, even in smaller companies, startups, midsize companies, they proliferated very quickly. So all of a sudden you were looking at large growing number of data repositories where different kinds of data was being kept. Additionally, these archives did two things; they ensured aging data was readily available for both regulatory compliance and e-discovery requests, but also they were starting to be used for analytics processes and even employee reference. And I've written a lot about this over the years about the idea that even semi-active or semi-inactive or inactive data is still potentially of value to the company because employees do on occasion, go back and try to find those older files to reference and so forth.

Bill Tolson:

In the last several years, some information management solution vendors have begun promoting the idea of in-place or federated information management. Jay and I will be discussing these concepts around in-place information management and it's pros and cons. So let me briefly describe what in-place information management is. Now, what these applications attempt to do is apply information management policies across the various enterprise applications and their storage repositories, and by that, I mean you might have a centralized application that does one thing. Maybe it's a CRM application, maybe it's a file system storage, maybe it's an archive. There's literally lists of hundreds of these types of applications, but they're all separate silos within your enterprise and they all have their own enterprise storage resources, usually sitting on tier one or tier two enterprise storage, which is expensive enterprise storage.

Bill Tolson:

But what an in-place management system attempts to do is to at arms reach, basically apply information management, retention, disposition policies, access controls, those kinds of things across the many applications. So what you end up with is a centralized dashboard, but also you retain all of these separate applications and their storage repositories. The benefits that these vendors call out is basically ease of use for end users and they also call out or try to impress on us that an obvious benefit is cost savings. Now, I find that to be questionable in the least much less realistic because you're retaining all of these different resources and trying to manage them. What Jay and I will get into is how does in-place information management systems and their functionality, how do they have advantages or interfere with things like regulatory compliance or e-discovery response, or even employees trying to find data again? So again, in-place is basically keeping everything you have and then trying to put a management layer on top of it. And we'll get further into that here in a moment. So Jay, with that said, do you have any thoughts on, in-place records management, any pros or cons?

Jay Cohen:

Thanks Bill. This is a very interesting and timely conversation. In my experience, there's two sort of key points I think that are worth making at the start of this conversation. The first is that one of the most interesting things about in-place records management is that many companies wind up in some version of that without really thinking through the pros and cons and without really deciding that's what they want to do. They have developed and are using and have retained all of those applications in various data repositories and data sources and data use tools that you described a few minutes ago. So they have a very sort of federated decentralized way of looking at information management. So a lot of their information is in-place. The second thing though, is that in addition to not sort of making a conscious decision, weighing all the pros and cons to get there, they're doing that without doing the next step, which is making sure that they have the oversight and the management in-place to handle that.

Jay Cohen:

You recently wrote a blog on this subject, and you said that in-place information management allows employees and applications to store files in their original repositories while providing an overall management structure. And what I've seen is that companies have the first part of that sentence. They let employees leave things where they are, but they don't have the second part. They don't have the overall management structure to handle that. So whether companies are going to decide to go in-place or centralized, they ought to do it in a carefully thought out conscious way and make sure they have all of the oversight that's required to handle the regulatory requirements and obligations that go with the information that they've got there.

Bill Tolson:

Yeah, Jay, that's such a great, great thought you've put on there, and I absolutely agree with it in my experience. I have seen that as well, that many companies as they're growing ignore, and we'll get into this a little bit later, but they ignore information management and try to do the records management for compliance and things like that. As we'll get into it a little bit later what percentage of an enterprise's data is regulated and what percentage is just kind of free range data. So yes, they kind of fall into it and like you say, most of them actually never take that next step and say, "Okay, I'm going to manage this information." I think you could say, them picking up an in-place information management capability is maybe a first step on their part, but then you get into questions around how long do you let the data sit there?

Bill Tolson:

Do you let inactive data sit there for large periods of time? Does it make sense to... And the vast majority of corporate data, as far as I'm concerned, is semi-active or inactive because within a couple of weeks of a data being created or received, it's probably never going to be used again. So and I'll get a little bit more into that in a minute, but does it make sense to keep a huge amount of inactive data sitting in application specific repositories on very expensive enterprise data? And that's where I start to diverge from the idea of in-place records or information management. Jay, as a follow-up question and looking at your numerous, numerous clients, do you have any clients that have gone down the in-place information management path?

Jay Cohen:

Well, we have worked with clients who have undertaken the process of assessing what kinds of information they have sitting in their various data systems, particularly unstructured data systems. The emails, the share files, the SharePoints, the kinds of things that you started out by summarizing for us. So we have worked with clients who have started the process of trying to figure out what they have in those systems so then they can determine how to best manage them. And not surprisingly Bill, what they found is exactly what you just described. And that is, there is an awful lot of we call rot in these unstructured data systems. Redundant, obsolete, trivial information, data going back 20 years, emails related to contractors and employees who are no longer affiliated with the company. Lots of information being kept and stored that relates to absolutely nothing about the substantive part of the business. Duplicative information, the same email being kept in a variety of different places. An enormous amount of rot found in those systems.

Jay Cohen:

So those companies at least are trying to figure out now that they have a handle on what's in these unstructured data systems, what's the best way to handle that? And they're taking a variety of approaches. And there's one other thing that we found in working with these clients on these projects that's pretty interesting Bill, and you, I know will appreciate this. And that is in these various unstructured data systems, things like Office 365, there are tools available within the systems to help companies manage the information and the clients we worked with were not taking advantage of those tools. So not only did they not have overall approach to how they were going to handle the data within their organizations, they weren't even taking advantage of the first level of tools that were available within each data application or repository to get started.

Bill Tolson:

Wow. Speaking of Office 365, Microsoft is pretty vocal about in-place information management and the fact that they do it. Now, when you do a search, for example, on Google for in-place information management, the first several pages is all Microsoft stuff. But Microsoft does in-place information management for information within the Office 365 system. It's not like they're going to pick up a file share or a separate email archive sitting on prem or anything like that. So we're not talking about Microsoft's ability to manage information within Office 365 from all the various applications within their Word, Excel, PowerPoint, Teams, SharePoint, Streams, all of those kinds of things. Sure, Microsoft can manage that stuff and they do a good job of it, but when you're looking at companies, organizations that even most of them probably also use Office 365, but they have other applications that are generating data outside of the Office 365 cloud.

Bill Tolson:

So that's where these in-place information management systems that we're talking about are kind of coming up. So that's a great point, Jay, about rot. I mean, and we've talked about this before, rot is one of those things that can make you spend lots of money, rot can be a huge percentage of any company's electronic data. And what does that mean when you need to react to an e-discovery request? Basically in a lot of cases, and we'll talk about this again, in a couple of minutes, rot and e-discovery, just push the cost of e-discovery up tremendous amounts of money, if you haven't been managing your overall information in your system. One of the arguments that these in-place information management vendors put forth is that consolidating and migrating information to a centralized say archiving solution in the cloud, instead of leaving the data in-place, doing that centralization, that migration for ongoing management, and I've seen this on several of their webpages, they refer to it as extremely costly and by managing data in-place, large cost savings would be realized.

Bill Tolson:

Jay, do you have any thoughts on that? Let me just kind of front that by saying I come from several organizations that has its roots in both data migration. And to say it's extremely expensive is completely wrong. However, it's also a misdirection. We're talking about automatically potentially moving data into centrally managed archives based on predefined policies or changing a repository target from the default application repository to the centralized archive. So I thought one of their arguments about you don't want to move data around because it's expensive, questionable in my mind. What are your thoughts on that Jay?

Jay Cohen:

Well, I think you have to look at the cost issue from at least three perspectives. The first is looking at it through the narrow lens that these vendors are, and that is the expense of movement and centralized storage. And the answer to that gets back to something you were talking about a minute ago, Bill, and that is while there may be savings on the surface from leaving things where they are, those savings can be eaten up by the cost of storing data that should be long gone. So again, if your company doesn't carefully manage the data being stored in-place, then you run the risk of finding yourself with a lot of material that you're paying to store unnecessarily. So that's the first point about cause. The second point gets to what you were just talking about a minute ago, and that is the migration. And that is, we have worked with clients who have used the migration to centralize storage as an opportunity to eliminate rot and other data that no longer needs to be stored.

Jay Cohen:

So there is an opportunity in the process to minimize the cost of storage. And the third thing is maybe most important of all, and that is, to look at cost from a broader perspective. What other costs are associated with in-place information management? And here, I mean the potential cost of data breaches and regulatory violations associated with the information that's being kept across the organization in a lot of different ways. If your risks are greater, then your potential costs are greater, and those potential costs have to be factored into the calculus, the pros and cons, the analysis that your company undergoes when trying to decide which choice makes the most sense. Now, let me give you an example of what I'm talking about. I worked at a company that wanted to identify if and where we had social security numbers in unstructured data systems. When we engaged in this process using a tool, we found millions of social security numbers throughout the system. Each one of those social security numbers had a potential cost associated with it should there be some sort of a data breach. So data breaches, violations of regulatory rules around data privacy and security, ransomware risks, over retention on the one hand and spoliation failure to produce on the other, all of these potential costs have to be factored into whatever analysis a company does in determining the real cost of one choice over the other.

Bill Tolson:

Several great points there and Jay, first one in the migration action, taking the advantage to get rid of rot. I mean, we talked about that in the last podcast we did around defensible disposition. It doesn't make sense to keep aging legacy valueless data, no matter where it is, whether it remains in its original repository or whether you put it into a centralized archive. If it no longer has value to the company, you should get rid of it. Now I've written blogs and articles about this as well that, and actually I'm running one right now, but data can be a major liability for companies, especially when it comes to, like you said, privacy and the ability for all of those or some of those social security numbers to be basically taken out of the system and stolen.

Bill Tolson:

One of the bigger costs functions of this is in e-discovery. We hopefully all know this. I mean, you might have a spreadsheet that you created. You might have a copy of that in your file shares, it might be in SharePoint. Obviously it would be in your email system if you're emailing it around. Multiply that by the number of people you actually send it to, and now all of a sudden, if you're doing an e-discovery search across a whole bunch of repositories, then you can end up with many, many copies of that same spreadsheet or email or whatever it happens to be. And what I'm getting to is that e-discovery can be an individual pursuit, but in a lot of cases, it's lots of e-discovery administrators and contract lawyers and all kinds of things going out and searching, and you might be actually searching for, collecting and reviewing the same exact document 10, 15, 20 times or more across a large discovery.

Bill Tolson:

And the cost of discovery goes up wildly when you're actually having to review the documentation. So if you can cut duplication in an e-discovery search, you can see a direct correlation to much lower cost e-discovery and I've created models around this. The other issue is in e-discovery search and its consistency and this for years and years and years, and I've been associated with email archiving and discovery since 2001, that the biggest issue with this has always been, if I search for a keyword across a bunch of systems, and I get a result sets that equals a thousand items. If I rerun that search five minutes later, will I get the same thousand items, or will it be 11,121 or will it be 743?

Bill Tolson:

And that just absolutely, and rightfully so, freaks out your general counsel, as well as your external council, because external council has to certify that e-discovery was done correctly and completely and everything else. So I really question the whole idea of in-place information management, when it comes to especially e-discovery response. The other thing is, especially when dealing with very specific regulatory compliance regulations, such as SEC 17, or FINRA or whatever, especially SEC 17, they have very, very specific prescriptive retention requirements. Each item or email must be serialized and must be passed. It has to be saved in a certain manner, it has to be saved in worm, all these kinds of things. And I have not run across an in-place information management capability that allows specific items, for example, related to SEC 17 within an applications repository, to have immutability apply to it and not on the rest. So it's an interesting concept and making it easier for in users, but if you are worried about, and I know most companies look at this kind of information management for each discovery and regulatory compliance requirements, as well as being able to run analytics across all kinds of stuff, they're very leery about this because you really can't say that we are meeting the regulations because I don't think they in reality can.

Jay Cohen:

Well, let me give you a few examples to add onto that from my experience. And the first is sort of the flip side of e-discovery and that's the legal hold process. So one of the rot projects we were engaged in looked at among other things, email files, and we found out that that company was saving almost all of its emails because all of them were supposedly under a legal hold. Rather than try and figure out how to apply the legal hold carefully and strategically to the emails that really mattered, because the emails were all over the place, it was easier and safer for that company to just tell everybody, "Keep everything because we have a legal hold," with the result that they were undoubtedly over retaining information that had nothing to do with the legal hold, and to your point, probably retaining the same relevant emails, several different times at least.

Jay Cohen:

The second experience that I had relates to sort of looking at e-discovery from a slightly different perspective, and that is, when I was an insurance company compliance officer, we would have to produce files for state insurance regulators who would come in and do exams. And any company that's subject to SEC or FINRA or other regulatory exams can appreciate what I'm talking about. The state would ask us to produce 100 claims files, the claims file for Jay Cohen and 99 other people. And the regulators had this idea that I could push a button next to Jay Cohen's name and find out everything that we had in all of our various applications and data repositories related to Jay Cohen, and it would be a piece of cake. Well, it was anything but, because the information related to Jay Cohen and those other 99 people was everywhere. So we spent an awful lot of time trying to create the file related to each of these people so that we could produce it for the regulators. An enormous amount of time and effort went into that.

Jay Cohen:

And not only did we have that issue, but anytime the business folks wanted to find out the full extent of the relationship between Jay Cohen and the company, they had to engage in a similar exercise. The challenge of dispersed information is not only regulatory, but it's got its business implications as well. And the third point Bill, and that is regulators in the data privacy, security and retention world are getting more and more prescriptive all the time. They're not only providing sort of broad guidance about companies having to have reasonable data privacy and security. They're talking specifically about things like encryption, multi-factor authentication, New York state just recently fined a financial services company, $3 million for not applying multi-factor authentication across all of its data systems. Companies have to do risk assessments around all of their information management required by the rules. So each of those requirements is complicated by the size and diversity of an organization's information.

Jay Cohen:

Also, as you're trying to weigh the pros and cons have to think about what's the best way for us to manage the information for business purposes, but also the best way to meet these increasingly detailed data privacy and security requirements? One other example that comes to mind that I know companies that we've worked with are struggling with, and that is the data subject access requirements that are built in things like the California privacy rules, which little by little other states are adopting. My right as a data subject to see what you have about me. And the more that what you have about me is in a variety of different places, the more challenging your response to that access request can be.

Bill Tolson:

Yeah. That's many important points there, but I'll point out, you mentioned on legal hold, which you were referencing, I think is the ability to granularly find and place on hold, potentially responsive content, instead of saying, "Well, Gee..." and I've run across this before. It was several years ago, but I have no way of searching for very specific content in relation to an e-discovery request, so I'm just going to place the whole repository on legal hold. Most GCs, general councils, don't like that because you're putting information on undefined or an unlimited legal hold for large periods of time and what legal folks will tell you is that raises the risk of some of that data that's being held, actually being used in another case, and that's never a good idea. It used to be that GCs didn't want to keep data for more than a week or two, then they cycled over the years to, "We're going to keep everything forever just to be safe."

Bill Tolson:

And now it's kind of circling back to, "We need to get rid of stuff we don't really need." So having those various repositories without the ability to granularly place legal holds within them easily is an important factor. Also, what a lot of people will do is they'll say, "Okay, I have no ability to do the granular legal holds within all these systems, so I'm just going to migrate all of this data. Maybe I'll do a search on Bill Tolson and they'll come up with 200,000 files and I'm just going to pull them from everywhere and put them into a separate repository to run discovery on." And you're looking at duplicates and duplicates and duplicates and driving the cost up. The other thing you said Jay, was in referenced to privacy and GDPR, being able to find the data within the amount of time specified by the law, 30 days, 45 days, and then being able to respond to the client or to the data subject who asked for the information is tough enough.

Bill Tolson:

But also, can you say what about right to be forgotten request? Can you say that across these multiple repositories, I was able to find every single thing that data subject asked for and deleted? And if you weren't able to find everything, you violated the law. You didn't fully respond to the right to be forgotten request and then you're looking at massive potential fines. So it all comes down to managing all of your information. It used to be again, and I mentioned this before, manager records, everything else, who cares? Now with various regulatory laws, as well as the privacy laws, you have to know exactly what you have and be able to find it in a short amount of time. That's not just records, that's everything; social media, work files, revisions, anything that might have this PII in it, you have to be able to track down and find and potentially delete. That's really important. That was a great point.

Jay Cohen:

Bill, and just to echo what you're saying, and that is the calculus around the risks with regard to data has changed. And this is something you and I talked about in our last conversation. And that is because of all the things that we're talking about, plus the fact that regulators increasingly are building data retention and data limitation requirements into their privacy and security regulations, the risks around keeping things too long have grown. And so while it used to be that when we would talk to general councils and we would show them that there were emails that were within the organization going back years and propose a sort of automatic email deletion program, so that emails would go away unless the email recipient put it in a place to keep it because it was actually a record, they would push back on us and that pushback is changing a lot, and their general councils are increasingly considering shorter and shorter time periods because the risks around over retention have changed.

Jay Cohen:

And the other thing you said which is critical is that, whatever choice is made, the choice to do in-place versus centralized or some version or something in between, or some combination of the above has to include all these factors. It can't just be looked at through the limited lens of it costs a lot to migrate and store centrally. Because at the end of the day, you have to do the three things that you just talked about. You have to understand what data you have and where it is, you have to figure out what to do with that data, what obligations, regulatory rules, business value, legal holds, whatever goes with that data, and then based on that, you have to decide what you're going to do about it. Keep it, not keep it, put it here, put it there, dispose of it defensively as you and I talked about the last time. So all of that has to be part of any decision-making as to whether to go with in-place information management or some other alternatives.

Bill Tolson:

Yeah, perfect point. I think Jay, in my mind, the biggest downside with in-place information management is that of security. And these in-place information management applications, whether they're a SAS application or on-prem, they're looking to manage the data as best they can. But I think the biggest downside of that kind of thing is data security specifically. Now, a lot of people will fire back with, "Well Gee, you're inside the corporate firewall, why is security an issue, they're not going to get by the firewall?" Well, we all read the stories every day about hackers and ransomware getting beyond the firewall. Otherwise, it wouldn't be such an issue. So I think what centralized information management systems offer that these in-place systems can't is much more aggressive security. When I talk about security, I'm talking about data security.

Bill Tolson:

Infrastructure security, sure. Your enterprise has various protections around it. If you're sitting in a cloud, then those clouds usually have some form of infrastructure security, but what about individual data security and those regulatory requirements that actually call on in first kind of encryption? Can you, or do you need to be able to store a piece of information that might include PII? Can you encrypt it? Do you know where those encryption keys are kept? And I say that because a lot of vendors, well even if you move your data up into a centralized archive in the cloud, the cloud itself, and the third party vendor handles the encryption, which means they have the encryption keys, they keep the encryption keys in the cloud, and that's a bad practice industry-wise. I mean, you never keep the encryption keys anywhere near the system where the data is encrypted.

Bill Tolson:

So one of the things that we're looking at with privacy shield and validation and standard contractual clauses, and all these other kinds of things that have come up because of the invalidation of the privacy shield and being able to move PII from the EU to the US, we're now looking at can that specific file be encrypted? Is that encryption key kept on prem and managed separately, not by the third party cloud, but by the actual data owner? Those kinds of things that give you that next level of security, can you apply a field level encryption within a given encryption key to add that additional security? Maybe I want to give Jay access to a file, but only parts of it. I can use field level encryption to encrypt those parts that I don't want a Jay to see.

Bill Tolson:

And when he actually gets access to the file and uses his encryption key, he's only going to be able to see certain parts of it that I want him to see. That is becoming much more prevalent. And that's something those levels of encryption, can you protect data in transit at rest and while in use? Meaning that data is never un-encrypted. And these are the levels of security now that the industry and that regulations, governments are starting to look at to say, "I need to be able to protect this data and I need these kinds of assurances." Some company in the EU transfers PII to me in the United States and I put it in my cloud for example, one of the things that corporates CSOs have complained about is well because of the FI's Act and the CLOUD Act and all these other kinds of things that governments' intelligence agencies can come into the third-party cloud to say, "Give me all of Bill's data, decrypt it for me because I know you've got the encryption keys. And by the way, you can't tell them that you gave it to me."

Bill Tolson:

If you hold the encryption keys yourself on prem, then it doesn't matter if it's stored in the cloud in a central archive or whatever, you control the encryption keys so secrecy warrants and those kinds of things don't happen. But because of those two things, because of the quickly ever emerging cyber threats and ransomware, companies, governments, organizations of all types are having to move to these new kinds of protections that I have not seen in-place information management vendors able to address.

Jay Cohen:

These are not idle threats. I read something the other day that said that nearly half of the businesses surveyed by this one organization in Europe and North America were targeted by cyber criminals in 2020. 43% of the more than 6,000 companies in eight countries had suffered some kind of online attack. So the first thing is, what you're talking about is not something that doesn't happen very often or won't happen to most companies. The second thing is that the requirements that the regulators are expecting because of this threat will have to be applied across all of these applications. Let me just read a couple of excerpts in the time we have left from cybersecurity best practices just issued by the US Department of Labor. "Have a formal well-documented cybersecurity program. Conduct prudent annual risk assessments. Have strong access control procedures. Encrypt sensitive data stored and in transit. Implement strong technical controls in accordance with best security practices. Appropriately identify and respond to any cyber security incidents." So all of these obligations will have to be applied across all of the applications and systems and activities within the organization, and whether that's easier or harder under in-place versus centralized is something that has to be taken into consideration when a company's trying to decide which way to go.

Bill Tolson:

Yeah. I absolutely agree with those. And I love those that list and you can get much deeper into it, but again, security because of the cyber environment we now live in and the kinds of data that companies are looking to collect and use, security of that data is now becoming like the GDPR says a human right. And that's not going away, it's just going to get tighter and tighter. You mentioned the CCPA in California and their follow on CPRA I think it was. Virginia just enacted a new privacy law that mimics the CCPA in California. These things are popping up all over the place and until there's a single federal privacy regulation that supersedes them all, companies have the potential of looking at 50 or 51 just in the United States in the District of Columbia, different sets of rules.

Bill Tolson:

And you imagine trying to create policies for in-place information management across all of these different repositories for all of these different laws, and if you make an inadvertent mistake on just one of them, you could cease to exist overnight as a business because the fines are not small. And I know we're reaching time, but I did want to mention one other thing, Jay, to get your thoughts on this, the idea that companies, I said this in the beginning of the podcast, but companies even now tend to mostly ignore non records based on all kinds of different kinds of data. The average company, the amount of regulated content amounts to about 5% of overall data within an organization. So what about the other 95% as I just kind of mentioned we're moving beyond just records management. We have to manage information in general because of the regulatory risks and e-discovery and the ability for the company to actually utilize that data for analytics and stuff. Now in-place information management, I've gone through and studied a lot of these offerings, none of them address the need. 80% of all corporate data residing on individual employee laptops and desktops, that the company has absolutely no insight into.

Bill Tolson:

They don't know this stuff exists, it's not indexed, they can't search it, and that's always been kind of a sore spot for me is companies... I mean, I worked for California high-tech companies that would say, "Well, that's the employees', we don't deal with that. That's their business. We don't want to know what's there because it might upset the employees." Well, I'm sorry, but that's all corporate data. If you work for a company and you're using company resources, the data you're generating is still company assets, but it also can be part of e-discovery or regulatory. So saying in-place information management and records management is kind of a misnomer because it's ignoring 80% of organizational data. Now, granted, to make a centralized archive complete, you would have to have some form of migrating all of that data into a centralized archive. I have consulted with large companies in the past, and I just float this just to see, but I've worked for companies that have said, "Okay, we're going to set up a system so that when an employee using a desktop computer saves something, it goes into say the documents file within windows, and then the system automatically syncs that documents folder with their central archive every day, every four hours, whatever it happens to be."

Bill Tolson:

And by the way, if you're on a laptop, the next time you sync up with the system to get your email, the copy is transferred into the archive as well. So some companies have said, "We need to capture all of it, and this is the way we do it." And I don't see that happening with in-place, and I think it's probably with all the different repositories and with the standalone employee data managed stuff sitting on their laptops, it's probably extremely difficult, if not impossible to do. Jay, have you run across any companies that have actually looked to manage their employee, control that data?

Jay Cohen:

Two answers to that. Bill, first I've seen companies doing, and I've worked at companies doing exactly what you just described, which is taking information from the corporate provided employee laptop and putting it in a central place because they recognize what you said. Which is, what I do on my company computer can potentially implicate the organization, can involve company business or company risks and requirements. That's the first thing. The second thing is most of the companies I've seen and worked at, or with have computer use policies, which advise employees, essentially what you said and the opposite of what those employees told you, which is that, "What you do on our machine is subject to our oversight. It doesn't mean you can never conduct any personal business on our computer, but your expectation is that we will see what you do on our machines, because it's our obligation to manage the organization's data and its risks."

Bill Tolson:

Yeah. I remember signing on to a computer for the first time at a high-tech company and I got a desktop message, big old fill thing that basically said, "Don't have any expectations of any privacy of anything you do within the company infrastructure or equipment." I thought that was very good, actually. It's like, well, I'm glad they warned me because I probably wouldn't have thought about that. Now in other countries, yes, there is an expectation of privacy, but in the States, anything you do, any information you create or utilize or store is the company's, you're getting paid for them, so.

Jay Cohen:

Some companies would make you certify, would repeat that morning that you just described Bill every 90 days, 120 days, 180 days, whatever, and make you re-certify just to re-remind you because they're obligated to put you on notice so you know what you're getting into.

Bill Tolson:

And also as you leave a company, I've been asked many times, do you have any copies of corporate data? And you have to certify that you don't, or that if you do, you are deleting it as you speak, otherwise you don't get your last paycheck.

Jay Cohen:

Exactly.

Bill Tolson:

Okay. Well, Jay, I think that about wraps up this edition of the Information Management 360 Podcast. I really want to thank you for the great discussion. I always enjoy-

Jay Cohen:

So do I.

Bill Tolson:

... with you today, but around this idea of in-place information management. Again, I don't believe we're saying in-place information doesn't have its place, but you have to understand what that place is. Then you look at active versus inactive data and all that kind of stuff. Just to remind everybody, Jay has written and published an ebook about defensible disposition, which is available on the Archive360 resources page on the website. To download it, go to the archive360.com resources page, and look for the book titled Records Retention and Data Minimization. And by the way, you can also go up there and look at the other, or listen, download the other podcast and especially the one that Jay and I did many weeks ago, but not too long ago.

Bill Tolson:

If anybody does have questions on the topic of this podcast or would like to talk to a subject matter expert further, please send an email mentioning this podcast to info@archive360.com and we'll get back to you just as soon as possible. You can also email Jay at jcohen@csig.com to ask Jay questions or for further discussion. Also, check back with us on a regular basis for new podcasts that we'll be recording and putting up. All the podcasts are available on all the podcast platforms, iTunes and Spotify and all the rest, as well as on our resources page as well. So with that, Jay, very much appreciate you participating today, look forward to more in the future, and I want to thank everybody who listened. Thank you.

Jay Cohen:

Thank you, Bill. Really always welcome to take advantage of this opportunity. Thank you.

Bill Tolson:

Thanks.