Episode 25: Discussing Data Security for Information Managers

Transcript:

Bill Tolson:

Welcome to Archive360's Information Management 360 Podcast. This week's episode is titled A Discussion on Cybersecurity and Privacy for Information Managers. My name is Bill Tolson, and I'm the vice president of compliance and e-discovery at Archive360. Joining me today is Andrew Ysasi, vice president of advocacy at Vital Records Control. Andrew, thanks again for taking the time to join us today. Can you take a couple of seconds to describe what Vital Records Control does?

Andrew Ysasi:

Sure. Bill, thanks for having me. It's a pleasure to hear your voice and chat with you. Seems like the MER was just last week when we met. 

Bill Tolson:

Yeah. That was a lot of fun.

Andrew Ysasi:

Absolutely, absolutely. Vital Records Control, we are a records services firm that specializes in document storage, scanning, and shredding, and workflow solutions. We also have a release of information division for our healthcare clients. We have approximately 100 facilities around the US and a few in the Bahamas. We operate mostly in North America. We've been growing like a weed, and it's an honor to be with them.

Andrew Ysasi:

In addition to my role there as vice president of advocacy, I'm also an instructor in the MARA program at San Jose State University, the master's of archives and records administration program. So I'm a busy buy, but I wouldn't have it any other way.

Bill Tolson:

Two things. You're also in the industry a well-known subject-matter expert on information governance, records management, and those kinds of things. But it seems like what you just said that I ought to see if I should visit one of your facilities in the Bahamas.

Andrew Ysasi:

I often joke with our CEO that if there is a association chapter that needs to be started, I'd be happy to be the president and lead that charge. He just smiles and laughs. So one day. Maybe one day we'll get an association chapter out there.

Bill Tolson:

He probably gets that a lot.

Andrew Ysasi:

I'm sure he does. All sorts of volunteer reasons to go out there for the office.

Bill Tolson:

Yeah, yeah. All right. Well, let's get started with our discussion. You and I had an earlier call a couple of weeks ago, and we talked about, and I mentioned, the rapid changes we all experienced when workers were moved to a remote work model because of the COVID-19 pandemic. That happened rapidly, a lot more rapidly than I thought. But the pandemic inflection point triggered ... And this is one of the problems we noticed almost immediately, because I've been focusing on data security as well. But the pandemic really triggered many companies, probably most companies, to quickly adopt new collaboration applications, such as Microsoft Teams and Zoom, to facility ongoing employee and client communications and data sharing.

Bill Tolson:

However, and we noticed this pretty quickly because we started to get calls from corporate legal departments, many of the companies didn't really think about, or under certain circumstances simply bypassed commonsense legal and regulatory requirements, such as the ability to place legal holds or to capture and archive data for regulatory or e-discovery requirements. So we had, after a period of time, many corporate legal departments, saying, "Oops, we forgot about this, and now what can we do about it? We have application A, B, and C, collaboration app. Can we capture that data and move it into a system that we can manage and apply litigation holds and those kinds of things?" Have you noticed, or have you heard from colleagues or people in the industry, whether that was happening almost universally?

Andrew Ysasi:

Yeah. That's a great question, and certainly a very fluid topic even today, coming out of the pandemic. I think the pandemic, and this goes back to our conversation, really was an opportunity for some, and certainly was a wake-up call for others. The opportunity for those who had been advocating for a better way to communicate or more modern way to communicate throughout their organization, especially as you had more remote employees, those opportunities to get rolled out were there. Many plans were already written up. It was just a matter of execution. And then you had the others who weren't prepared, weren't ready, and were really forced to make adjustments.

Andrew Ysasi:

I think what we're going to see as a result of that is those who were early prepared are going to be in a much better situation for adapting to some of these new privacy laws and some of the other risks that occur from a cybersecurity standpoint than those who really rushed to get something out, and now may have to go back and reevaluate, did they put out what they intended to? Is it sustainable from a long-term maintenance situation when it comes to managing information as it pertains to cyber threats and as it pertains to privacy regs that will continue to be an issue?

Andrew Ysasi:

Frankly, there were folks who might've had plans drawn up, but they weren't doing a great job of keeping up with the cyber issues and the privacy regs prior to the pandemic. And as we saw with the pandemic, lawmakers were active. They were out there. They were still working and getting some of these regulations out there and getting them passed through the legislative bodies. So there's not going to be a slowdown in that area. If there was a lack of awareness or limited opportunities to get something done, I think the pandemic, for multiple reasons, allowed organizations to say, "Hey, we've got an opportunity to do things better, and by the way, we have to because of these threats and the new regulations and compliance that are out there."

Bill Tolson:

Yeah, the unrealized risks when they were just trying to react, like you talked about the privacy and security regulations in the United States. And we have five states now that have specific data privacy laws that get into this sort of thing. By next year, it'll probably be 25 or 30. I sat in on a House Energy and Commerce Committee meeting yesterday in the Capitol. I did it via Zoom. They were discussing a new draft of a federal privacy bill that would also get into this stuff.

Bill Tolson:

But in talking about especially these collaboration applications, could they include PII and those kinds of things that are coming under those things? This really gets into a question about shadow IT, almost. The installation of unsanctioned collaboration applications has become ... I think in certain circumstances it's not a huge problem, but it is a known problem that all of a sudden people were working at home, they were having a hard time staying connected, so they started, without guidance from their IT department, started going out and looking for productivity applications to help them keep connected and stuff. This is what companies, and especially IT, refers to as shadow IT.

Bill Tolson:

But it creates a big risk for regulatory compliance requirements and e-discovery, litigation hold, and those kinds of things. In fact, years ago, when I was consulting, I was in a high-tech company in the Bay Area, and there was a deposition going on. The opposing counsel was questioning people, and it happened to be in the accounting department. He basically said, "Do you have any messaging applications, like Yahoo Messenger and those kinds of things, that could be collecting data and that kind of stuff?"

Bill Tolson:

But immediately, the defense counsel chimed up and said, "No, we have a long-going rule in this company that there is none of that stuff allowed within the firewall." And the VP of accounting kind of sheepishly said, "Well, yes, most of our accounting people have installed Yahoo Instant Messenger and we all use it internally." The defense counsel basically banged his head on the table, because he didn't know this was going on, so they couldn't have applied a legal hold and any of this kind of stuff on it.

Bill Tolson:

So I think the pandemic has just highlighted this idea of, IT really needs to get more of a control and management of these possible things, because like you said, the new data security and privacy regulations are really highlighting ... All data within a company now comes under the compliance, because it might have PII in it.

Andrew Ysasi:

Sure. Yeah, and as we're seeing across the pond in Europe, a lot of the GDPR and individual country privacy legislations are starting to act against organizations. They're starting to enforce these laws. And I imagine as we get through this decade, as the US starts to catch up, we're going to see more of that here stateside, and it will continue to evolve in the European Union. So for global companies, having a privacy office, having a privacy operation center, that may be the catalyst to have broader conversations around information governance as a whole, as being part of a strategy. More so in some cases than maybe even cybersecurity, which for a long time, I think, surpassed the records management side to be the driver. We could see privacy switching that, or sharing, or gaining a large responsibility for driving that IT change overall.

Bill Tolson:

Oh, I absolutely agree. I think the current and upcoming newer privacy laws that are going to come into being in the next couple years are really going to change the information management, information government profession.

Bill Tolson:

But before I go down that path, just a quick fact. GDPR, the first couple of years, they were rather laid-back about it. There were some little fines here and there. But the last year, in 2021, the EU, under the GDPR, imposed a billion euros' worth of fines for privacy violations. That was mostly for companies in the EU, but that was also for companies in the United States and spread around the world. So they have seen it, and they are staffed up now to where they can really get aggressive in what they can do with violations. I mean, they're even down to fining individual small law firms for not doing things correctly. So it's going to be the Wild West out there, I think, with the privacy.

Bill Tolson:

And that brings me to the subject I started talking about. My idea ... Not my idea. I've heard other people. But you know, we've looked at records management as controlling those compliance records, and they're usually 5 or 10% of a company's data. You know, those things that the SEC requires and the so-and-so requires, the energy agencies, those kinds of things. Usually a small amount.

Bill Tolson:

But now with these privacy laws, I think that there's going to be, over the next couple of years, a much more focused, much more of an acceptance that corporate data is going to have to be actively managed, not just corporate records, because that data can have a PII and other things in it that you could be asked to produce by a data subject. And you can't respond to a right to be forgotten if you even have that data sitting on three employees' laptops spread around the world.

Bill Tolson:

So I think we're looking at potentially organizations quickly needing to manage all data within the company, including the data on your laptop and my laptop and my cloud account, because they all have to be centrally visible to respond to these.

Andrew Ysasi:

That's right. And you're going to find even those naysayers who say, "Well, it won't happen to us," or, "This won't be a challenge for us," they're going to find that whether it's the government or opposing counsel if it's a different type of suit, doing that e-discovery software runs and the data maps exposed, you could find yourself rushing to the settlement table to avoid having that information turn out to be public, because it could be very glaring. And that can affect not only reputation, it can affect stock price, employee morale, lots of other things that play into just not saving money, and the scare of, oh, no, it's another fine. There's a lot of other factors involved.

Bill Tolson:

Yeah, that's a great point. The other thing that I've talked about for several years is the idea of managing all electronic data within a company, not just what's considered records, is really in many cases, and I've seen this in real life, it's going to be a corporate culture issue, because not in other parts of the world per se, but at least in the United States, in high-tech and in other industries, most employees recognize the idea of compliance records, and sure, we need to make sure this is put into the price content management system or something like that. But all of the other data, the terabytes sitting on my laptop, well, that's mine, and you don't get to tell me what to do with it. And now the corporate culture's going to have to change to basically say, "Yes, that is our data, and it does put us at risk, so we need access to it all the time."

Andrew Ysasi:

Absolutely. And I think individuals should understand too, if you start intermixing personal and work, that there's filters and there's ways and software to be able to search for certain things, but there may be access needed to personal information that you have because you didn't have those separations of repositories or that mindset of keeping work and life personal. Again, it depends on the suit and what's requested, but-

Bill Tolson:

Yeah, that's a great point. I've been in e-discovery for a long, long time. I used to tell employees, like you just said, "Don't mix accounts, don't mix business with personal, don't send corporate documents to your home email account so you can work on them over the weekend, because if you're being deposed one day and the opposing counsel basically asks you if you've done that, then all of a sudden, all of your personal accounts are open for some aggressive lawyer to go through."

Andrew Ysasi:

Sure, right. And they may not find anything, but the point is, is that it's open, and you probably didn't plan to have that be looked at by an aggressive attorney. And there are other scary situations where information may be found that isn't related that's reportable or what have you. It's just a situation you can avoid altogether by having good, sound personal data management practices, but also having the organizations advocate. We have these cloud solutions. We have these services. We need to train you, and we need to make you aware of these services, so you aren't email yourself to your personal. You can upload it to your cloud drive or whatever you're using through your organization, send a link via email, a reminder, and then take advantage of that if you have to over the weekend on a company device or in the company environment, keeping your personal life free from that view, but also making sure that you're not exposing the organization to a risk that they weren't aware of on a device that maybe wasn't part of the IT ecosystem.

Bill Tolson:

Well, and you could be looking at inadvertent deletion and all kinds of stuff within your personal account, that you've transferred stuff and all of a sudden you're being accused of destruction of evidence.

Andrew Ysasi:

Sure. Yeah, it even goes down to the privacy side of things too. If you're using your work account for communicating with your own attorney, or for something that's work-related, or to send emails to your doctor, depending on where you live, you may have privacy rights or you may not when using your work email.

Bill Tolson:

Exactly.

Andrew Ysasi:

And oftentimes, I find that when I look at acceptable use policies throughout organizations on how data and technology's used and managed through an organization, and how users are involved, sometimes there isn't that delineation. That could be by design. It could be by just not knowing by the organization's part, of telling an employee, "Look, if you use our environment, everything you use is available." Of course, there's exceptions, some of the examples I mentioned before. But I think it's important for organizations too to advocate for their employees' privacy, and I think that tells a lot. But I think here in the US it's going to take some time for that to shift.

Bill Tolson:

Yeah. I've worked with lawyers for decades, and I feel sorry for them these days, because for a lawyer managing e-discovery within a big corporate litigation, they have to basically certify to the judge that, yes, we did e-discovery correctly, completely, and so on and so forth. And if employees have been moving data into their personal accounts, and the managing attorneys didn't realize that or didn't find it, there's a problem in not responding to e-discovery completely correctly, the lawyers' licenses could be in jeopardy, all kinds of things. With the amount of data that's piling up for the e-discovery people saying, "We have to find all of this stuff ..." The whole idea of data minimization.

Bill Tolson:

I've been in defensible disposition. I've told people for years, "If it potentially exists, it's discoverable. And if it's discoverable, you have to go out and find it, review it, spend great deals of money on it. Actually managing your data with retention disposition and you're actually disposing of stuff, then your potential cost in discovery or even in regulatory information request becomes much less." And then you also potentially lower your risk of smoking guns and all kinds of neat things.

Bill Tolson:

But like you've mentioned and we've mentioned, the whole idea of ongoing, number one, knowing what data you have with the company, and then actively managing it with information management and information governance principles is really the way to go now, because otherwise it could cost your company a lot of business, or even cease to exist.

Andrew Ysasi:

Absolutely.

Bill Tolson:

We've both spoken on infrastructure and data security recently. I think you had talked about it at MER, and I sure did too. But the idea that there's a difference between infrastructure or perimeter security and data security. Looking at the information management professional industry, with the increase in data privacy requirements that's closely tied to data security, do you think information managers are going to need to get more knowledgeable about data security, infrastructure security in general? Because it's going to be surrounding them at all times.

Andrew Ysasi:

Yeah, absolutely. Yes. The answer is yes. I think that's true for any part of an information governance, say, steering committee, if you take a committee approach, which is recommended in a lot of the frameworks that are out there. It's wise to have individuals who own or are part of those groups and decision makers be aware of the basics and why other groups are part of that committee. For example, if you have the privacy group, and maybe they report up to the legal department, and they're responsible for managing the privacy operations and the strategy of the organization, they should have an understanding of cybersecurity in general, how cybersecurity is managed and understood within the organization. Same with records and information management, and also having an understanding of what information is being created, and whether or not that includes PII or sensitive information that's subject to privacy laws. And you could say that about others in that group.

Andrew Ysasi:

To be able to have open conversations about, to your point, about infrastructure. If you were to walk to an infrastructure engineer and say, "Do you know if the servers in this cloud platform, or these serverless apps, have PII in them, and do you know where they're located in the cloud, or what region of the world they're located in the cloud?" If that infrastructure says, "Well, I know where they're located and I can tell you the names of these servers, but I couldn't tell you what's on them. I might be able to tell you who ordered them or who required them to be spun up or what project they were part of, but I don't know what data's there," I think that's a real disconnect. I think it's important for organizations who want to mature. There should be an understanding of, are these servers part of the privacy, are impacted by privacy? Are we collecting PII? What's the additional cybersecurity functions that are used not only to protect the workflow, but also the data in state there? Who has access?

Andrew Ysasi:

And from a records standpoint, keeping an eye on that information to make sure we're getting reports, make sure that when it's time that information can be purged responsibly, that you're doing that. And also asking the question, "Hey, Mr., Mrs., or infrastructure professional, is there a copy or replica, or is there a test server out there that could have this information or parts of this information that another organization or department could be using, or another application that is feeding that?" so you can manage that, versus having a surprise of, hey, we thought we were doing a good job, but we didn't realize that this information was being pulled in all different types of directions.

Andrew Ysasi:

It takes that committee to ask those types of questions, to understand where the risks may lie, because as you know, you start spinning up servers and throwing out software, and you have legacy systems. It's tough for one individual to know where all of that is in a large enterprise.

Bill Tolson:

And is it somebody's job to track that stuff? You mentioned, and rightfully so, the whole idea of data residency, data sovereignty issues for compliance and privacy laws and those kinds of things. And you mentioned data mapping as well, to figure out where this stuff is. Gee, where's the server located? Even how many servers do you have? Years ago when I was consulting, I was at a large power distribution company, and I asked them, "Where's your storage repositories, and where are all your servers, and how many servers do you have?" And they kept not getting back to me, not getting back to me. Finally I went to the VP of IT and I said, "I need to know this stuff for us to actually provide you the information you're looking for." So he got back to me in a couple of days and he said, "Well, my people said we have about 893 servers." I said, "That sounds really low," and he goes, "No, that sounds right." We started doing some more. Turns out they had 5,000.

Andrew Ysasi:

Oh, wow.

Bill Tolson:

It was one of these things that you sort of mentioned too. You have a top-level server, and then you have test servers underneath it that you move new applications up to test and things. So yeah, these guys had 5,000 servers spread around the country and a couple in Canada, and they had no idea. I mean, it was absolutely new information to them.

Andrew Ysasi:

And that's much more common than you would think. I think that it boils down to ... A lot of people may point the finger at IT, but it really comes down to the appetite for mergers and acquisitions, the resource levels of IT, the changeover in IT from change, managed service providers. There could be much more out there that you're just simply not aware of.

Andrew Ysasi:

I like to tell folks data mapping is good. As you mentioned, as we talked about, data mapping is good. But in many cases, it's not dynamic. It's a snapshot in time. What I like to ask, the follow-up question typically is, "So how often do you look at data maps? And if they change, is there any type of control limits, typically on the top end that you say, 'Wait a minute, we need to ask questions. Who's asking those questions? Who's watching that?' " And to to your point, sometimes it takes some time to get back. Rarely do I have someone in the room that's able to say, "Oh, this is exactly how often it changes, and these are the parameters, and this is the person or these are the people that work on that." I don't get that answer very often. That's where I advocate at that point, if you want to be serious about this, that's something you're going to have to have resources for.

Bill Tolson:

Yeah. Having spent many, many, many years in litigation and e-discovery, the first thing that occurs to me is, well, how do they do e-discovery if they don't even know what resources they have to discover? How many times have they been sued and missed potential evidence because they didn't know these other resources existed? That could be very dangerous in itself. But I think we're both in agreement that information management, information governance professionals are really going to need to come up to speed more on data security and data privacy, correct?

Andrew Ysasi:

Absolutely. This is a good opportunity to plug the new ISO 24143 information government standard. As many professionals on the privacy side are very aware of the ISO 2700, and the cybersecurity folks are aware of NIST, the 800 series requirements, there's now that records management 15489 with ISO compliance and records management, with IG now having a standard. I think that that really shines a light on more of this profession being a talk track or a buzzword, to no, this is a real thing. There's some real opportunities here. And there's money to be repurposed. It's not just a risk situation, where oh, we can save this money if we do this. It's almost more of a, we can not only save money, but we can find the value of information moving forward, so we can potentially have a way to say, "Look, we can generate revenue from some of the information that we have in a responsible manner." And I think future versions of the IG ISO standard, and as IG starts to become more well known, people will take advantage of that.

Andrew Ysasi:

People say, "Well, Andrew, give me an example of how that's being done now." I say, "Well, you probably are familiar with Facebooks and the Googles and the Instagrams of the word, that that's all they do, is they take this information and they sell it off to advertisers, of course, after you say that you want to give up that information, and then they push content to you." So this is not a new concept. I think as organizations understand how they can use information ... because not everything's in that Google-Facebook environment. There's ways to responsibly generate value internally and externally with the data you have. I know that's a little bit outside of the scope of the risk management side, but I think it's an important part of IG to mention.

Bill Tolson:

Oh, absolutely. Can you repeat for our listeners that ISO standard again?

Andrew Ysasi:

Yes, sir. It's the information governance ISO standard, ISO 24143:2022. It came out middle of May of this year.

Bill Tolson:

Great. Yeah, I think that'll be really interesting for people to follow up on.

Andrew Ysasi:

Sure.

Bill Tolson:

I think we both mentioned the idea of data minimization or defensible disposal. Those strategies have been around a long time. It's an information management strategy that we all talk about and we all say is really important. And then you run across corporate legal saying, "No, you can't delete anything." I don't know how many times that's happened to me. You have all of these records that have expired, and corporate legal is saying, "No, keep them for another year or so." And that keeps going on. That's always difficult. And then [inaudible 00:27:22] information managers to follow through due to pushback from end users and the legal department, it's almost a full-time job.

Bill Tolson:

There used to be a well-known paper from DuPont corporation. It was on their e-discovery. As a big chemical company, they were sued a lot. They did a study, and this was probably 15, 20 years ago now, but they looked at just nine of their litigations, their lawsuits that they were involved in, and they looked at the costs of e-discovery. Of the nine cases, they ended up having to review 22 million pages of documents. This was before predictive coding and all of the machine learning and AI that we started using in the 2010 range. But they figured out that of those 22 million document pages, approximately 11 million of them had been expired and should've been deleted and never involved in e-discovery. They also figured out they ended up spending an additional 9 or $10 million reviewing documents that should not have existed anymore. That really comes back to the whole idea of information management and sticking on, especially data minimization, defensible disposition, and those kinds of things.

Bill Tolson:

I've run across, especially when I was consulting, but I still run across, and I ask the questions of companies, how active is your disposition process? And they all say, "Well, gee, we're right on it." Then you end up talking to them for longer, and they're poor at it. I was just wondering if that's been your experience as well.

Andrew Ysasi:

Yeah. You know, it depends on, ultimately, I think, the size of the organization, and the culture as it pertains to operating expenses around, in many cases, technology. Let's say risk isn't something that's going to scare anyone in some of these large organizations. When I say large organizations, I'm talking organizations of hundreds of millions to billions of dollars. For them to make a case ... And I tell some of my students this. You may work in an environment where a few million dollars may be a drop in the bucket. It's not going to faze them. So for you to go through the motions and say, "We can have data minimization and defensible disposition," how do you provide value when they don't care about the $2 million part of saving money?

Andrew Ysasi:

But if you as a person who is in records management and organized and understand where the PII is and you understand the workflows of the organization to know where these risks are to help with those data maps, you now provide value for the organization. So when you're called upon to help with e-discovery, by you being there, you can help minimize those costs.

Andrew Ysasi:

Now, on the flip side, if you're an organization that's watching that operational expense on technology very closely, and maybe even pushing that expense off to other departments, there's a real opportunity to say, "Look, let's take a close look at applying retention, and let's talk about defensible disposition, and show that savings to internal counsel or outside counsel to say, 'This is why we do this.' " And if you are in a heavily litigated area and you're not necessarily rushing to pay a settlement, then yes, it does makes a lot of sense to keep that down.

Andrew Ysasi:

But I think where some of the organizations that are starting to move the needle a little bit as it pertains to traction of data minimization and defensible disposition isn't so much on risk or cost savings. I don't know if you've seen this, Bill, but it's sometimes on the sustainability side. By going on a data diet and using less resources to keep systems running and not producing as much information on paper and using less electricity, that in some cases can be a driver as much as doing the data minimization and defensible disposition than, say, doing it for risk purposes, or saving hard costs for budget reasons.

Andrew Ysasi:

That's just another interesting twist on that side where I've had some students and some folks in the network come back and say, "I was able to get traction on sustainability initiatives. Even though for years they dismissed the risk or saving X number of dollars here, sustainability got me where I needed to be." So there could be some opportunities in areas that you're just not thinking about and still get to accomplish the data minimization and defensible disposition goals that you seek.

Bill Tolson:

All great points, and absolutely agree. The other thing that I always come back on with this is, as you save, store, allow more and more data to exist within your enterprise, then it becomes more costly to find what you want to find when you want to find it. Now, a lot of data's never looked at again. We all know that. But when you get into an information request, or even an e-discovery, what's it's going to cost you to actually go through petabytes' worth of information, in a lot of cases, and how long is it going to take?

Bill Tolson:

I used to work at Iron Mountain for a period of time because of a merger, and our ... I think it was the CMO at the time ... basically had a really interesting statistic. He said, basically, "It costs anywhere from 20 to 100 times more to find the data you're looking for at the time you're looking for it than to store the data for 100 years." It's the additional compute, and like you said, the cooling and stuff. But as you get much, much, much bigger repositories of data, and maybe in many, many repositories, how can you find the data you need when you need it?

Bill Tolson:

Then you get into measurements that various market research firms used to track. They don't anymore. But how many hours per week does an employee look for information, for legacy information? I've seen numbers anywhere from two to eight hours per week. Eight hours is [inaudible 00:33:30] way too much. I usually fall back on two hours per week. And then how much time did they spend recreating the data they couldn't find? So then you add more on that. So the cost of not managing your data really affects productivity, number one, and the loss of productivity numbers get very big, but also you could look at the opportunity cost of profits and all kinds of stuff. So having that ability to manage all of that data ... And like we've already mentioned, they're going to have to be managing all of the data now.

Bill Tolson:

What I've always found funny/disappointing is that even in a company, and I've worked in aerospace and other things, even in a company where they say, "These records have to be managed," they have never said, "And all of the other data too has to be managed too," and it's a free-for-all. 5% of the data is regulated, so yeah, everybody manages that as much as they can. But all the other data's free-flowing and disappears and comes back, and ends up in discovery. Like I mentioned before, I think it's going to be a major culture shift for companies to be able to do that.

Andrew Ysasi:

Yeah, absolutely. Absolutely. And with emerging technology, it's only going to get, I would say, from the records management, IG, more tasty of opportunities to manage the risk and the issues around even more information, especially if you start talking about public blockchains or private blockchains with information on those. Technology continues to evolve at a pace where not only the law has to try to keep up, but practitioners and organizations have to try to keep up. I don't know if we're going to see that true paradigm shift, where people are asking, organizations are asking questions before new technology is rolled out. We're going to continue to be chasing that. But that, in some ways, great job security for those of us in the profession.

Bill Tolson:

Yeah. Like we've mentioned, and I'll mention it one more time here, with the idea that information managers, records managers, information governance professionals, are really going to need to expand their education to include some of this other stuff. One of the ones I've been dealing with for the last couple of years is the rise in cyberattacks and ransomware and the newer variants of extortionware that end up prevailing, or basically worming their way through huge amounts of data. And I think you mentioned this, the fact that with more data, you're going to have to put more and more security on it. And then you're looking at role-based access controls to get the right people access to the right amounts. You're looking at field-level encryption, where I can get into SharePoint and pull up a document, and I can see the various pieces of PII, but somebody in another department could pull the same thing but those pieces of PII are going to be encrypted. And you get into role-based access controls through Azure AD or the equivalent in AWS.

Bill Tolson:

I mean, the technology is sort of keeping pace, but I think the human element has to be more involved and more educated as well. Otherwise, there's going to be issues, problems, challenges that I think is going to be ... It's going to cause, especially in the people we're talking about, the information professionals ... It's going to make their life harder. And they need to at least understand what this technology is and how it's going to affect them, and how they're going to have to work with it.

Andrew Ysasi:

Absolutely. We talk about information governance committees, and let's say an organization gets serious about applying information governance throughout the organization. I've been in some interesting back-and-forths with individuals on how long those strategies should be planned for. Is it a one-year strategy, three-year, five-year strategy? I think every organization's different, of course. That's the academic response. It depends. But the consideration for a long-term five-year strategy is that technology isn't going to stop evolving, organizations are not going to stop rolling out new technology over that five-year period. And on the flip side, in one year, it could take you a significant amount of time to just digest and find a plan of what's going on. And of course, whatever you learn could alter what you do within one year.

Andrew Ysasi:

So I think the expectations of an information governance group need to be understood at the board level, so there's hopefully not wasted resources being pointed [inaudible 00:38:10] Let's focus on defensible disposition and data minimization over preparing ourselves for privacy regulations that will likely impact us, or some other regulation. Or let's say, wait, e-discovery. We have a very good case load for suits, and we need to get our arms around that, and maybe start to piece out some of those projects from an information governance standpoint to gain some traction, gain some [inaudible 00:38:37]. Because just like anything else, I think if you throw a bunch of well-paid, smart people in a room and you don't have realistic expectations, you're just paying a lot of salary to not get a whole lot done. I don't come from a world where that's really looked at as a positive thing. That's usually called vacation or executive retreats, not working groups.

Bill Tolson:

Yeah. And now I think that's absolutely on point. The other thing that I think information governance professionals are going to continue to see, and you just mentioned this, the idea that technology is going to keep going forward. I think just things like machine learning and AI for auto-categorization, and automatic field-level security, those kinds of things, they're already, and they're going to get bigger, and they're going to make information management people's jobs easier.

Bill Tolson:

I've been telling people for years that the holy grail for records management and information management was a completely automated, completely accurate system that would automatically categorize stuff and put it in the right bucket and manage it and get rid of it. That's the holy grail for information management people, but it's also something they don't like a whole lot in certain cases, because it could mean that their job is going to change dramatically. That's on the horizon. I mean, it's happening right now. We utilize machine learning in some of our technology. But the whole idea of auto-categorization, auto-classification, based on content, not on header or metadata or anything like that, but the content of the document, we're getting there, yeah.

Andrew Ysasi:

Yeah. And that's where information governance comes in. If you're an individual who has been in records management for maybe 20 years, and you've got a lot of tread on that career tire, so to speak, and [inaudible 00:40:18] well, what am I going to do if we go to all these new technology? There's opportunities to manage that technology. There's opportunities to understand how privacy works, to help with cybersecurity. As you go back to the records creation, organizations are going to continue to create records, and they're going to need someone. You may not be spending as much time on a Hilo getting pallets of boxes off a shelf, but good grief, there's a lot of opportunity on the content side. And [inaudible 00:40:45] that's a big stretch there. But there's a lot of opportunity on the content side, to your point, where organizations are going to keep creating more information, and how can you help?

Bill Tolson:

Oh, yeah. Going to be amazing to continue to be part of.

Andrew Ysasi:

Yeah, absolutely.

Bill Tolson:

Andrew, I think that will wrap it up for this edition of the Information Management 360 Podcast. I really want to thank you for a really interesting, kind of fun, educational discussion today. It was a lot of fun. Very interesting. I really [inaudible 00:41:11]

Andrew Ysasi:

Yeah. No, I appreciate that. I will be remiss as the president of the Institute of Certified Records Managers to not mention that there's workshops available through them, through ARMA, and there's a lot of education opportunities through the ICRM, ARMA, and others, through ACEDS, SIGOA, a relatively new association, AIM, to help organizations and to help individuals and practitioners prepare themselves for these types of challenges. No, and I appreciate you inviting me, Bill. It was great to run into you at the MER. Boy, if neither of us had gone to that conference physically, I don't know if we would've been chatting today. So I'm happy to meet you [inaudible 00:41:50] Yeah, can't wait to see you in person again.

Bill Tolson:

Oh, yeah, yeah. And absolutely agree, by the way. It was a lot of fun. Loved talking to you. Loved your presentation at MER. If any of our listeners today has questions on this topic or would like to talk to a subject-matter expert, please send an email mentioning this podcast to info, I-N-F-O, @archive360.com, or my email address to send questions or inquiries to me is bill.tolson, T-O-L-S-O-N, @archive360.com. We'll get back to you just as soon as possible. Also check back at the Archive360 resources page for new podcasts. I have a whole bunch already lined up, but with leading experts like Andrew here. This is very valuable for people. And we do post them on a regular basis.

Bill Tolson:

I also have several podcasts that I've recorded with state representatives and senators on their data privacy bills and laws that are already up there. In the next several weeks, I'll be recording a podcast with the US Chamber of Commerce to talk about their views on the new data privacy law that's sitting in Congress right now. It's called the American Data Privacy and Protection Act, ADPPA. I don't know if it'll actually pass into law this year or next or never be passed, but it's really an interesting bill, and has some GDPR-like qualities.

Bill Tolson:

But again, thank you, Andrew. Really, really loved the discussion, and we'll keep in contact. Thank you.