Episode 14: The Changing Information Governance Environment in the Age of COVID-19

Transcript:

Bill Tolson:

Welcome to The Information Management 360 Podcast. This week's episode is titled the changing information governance environment in the age of COVID-19. My name is Bill Tolson and I'm the vice president of compliance and e-discovery at Archive360. With me today is Mike Salvarezza, vice president of content development for MER. Today Mike and I will be discussing the issues with this changing information governance environments and how the pandemic is. And the reemergence of the pandemic is really forcing us to look at different ways to address information governance. So maintaining an effective information governance program in this kind of environment that we've all been experiencing for a year and a half or more really, which has been pushing most organizations into a remote workforce environment, again, due to the pandemic and those issues. And I'm sure that most people might now have run into, I know Mike, you have some great insights into this.

Bill Tolson:

So the dramatic rise in the COVID-19, especially the Delta variant has begun to push us all back into social distancing, mask wearing, and a halt to the return to the office environment. And I know many people that I'm in contact with, some of them were in the process of actually beginning to move back, at least part-time to their office environments. And almost all of them have told me that has stopped yet again. This ongoing remote work environment continues to put a strain on long established corporate information governance processes. This potentially, I hate to say it, but maybe potentially permanent shift to a partial or at least full remote work environment highlights the need to rethink corporate information governance processes, technologies and strategies that organizations are looking to, or may need to update change because of this.

Bill Tolson:

And I know a lot of us early on or not even early on, a year into the last shutdown were expecting it wasn't going to last much longer and it continues to at least in certain parts of the company to hang on. So with that mind, let's dive into our discussion. So Mike, you and I have spoken briefly about the need to re-imagine information governance. Can you explain what you mean by this re-imagination?

Mike Salvarezza:

Sure. And Bill before I answer that, thank you so much for inviting me to join you today. It's a pleasure to speak with you, and it's a pleasure to be on this podcast. So thank you.

Bill Tolson:

Thank you, Mike.

Mike Salvarezza:

I think that information governance is a discipline that is still trying to, in some ways, figure out what it's all about, figure out how you actually define what that role is within an organization. And there's a lot to talk about there, but if we accept for a moment at the very broadest highest level description of what information governance is that it is the management of information through it's entire life cycle in an organization with all of the various concerns that apply to that information, whether it's privacy or whether it's an e-discovery imperative or whatever it is that touches that information, information governance is responsible for making sure that that information is managed and governed throughout it's life cycle.

Mike Salvarezza:

If you accept that as the definition you might say, "Well, sure, that sounds pretty clear. And that sounds pretty comprehensive. What does re-imagining it mean?" Well, I think re-imagining information governance has a lot to do with not so much what I just said, the charter of information governance, but what it's really endeavoring to do and how it's endeavoring to do it. So an example is this COVID situation. It is this remote working situation that we're all struggling with, but there are others. But if we look at the remote office situation, there are challenges that have emerged. And I think some of these are fundamental challenges, they have to do with a complete shift in how the workforce works together, how they collaborate, how they exchange information, where that information resides, how that information can be secured, how that information can be collected and preserved.

Mike Salvarezza:

It becomes exponentially more difficult when the organization is very much dispersed and it becomes much more difficult when the dispersed organization is starting to use technologies that if we roll back the clock just a couple of years were new and novel, but now are kind of commonplace things like Microsoft Teams and things like Zoom. All of those platforms are now essential business tools. Some of them create real challenges for information governance. So when I say re-imagining information governance, it's really about how do information governance professionals once and for all really tackle these problems because the problems of burgeoning piles of information have been around for quite a long time. And I'm not sure we'd have completely solved those problems, but now is an opportunity to really rethink how we're doing all of this and rethink what we're trying to do.

Bill Tolson:

That's a great insight. And you mentioned information governance professionals. I connect that with records managers and others as well. And you mentioned these new technologies that were very quickly adopted early last year because of the pandemic and because of the move to remote workforce. And obviously I'm thinking about Zoom and Teams and others like that, but the very quick adoption. And I think in many cases, to organizations I've talked to, the lack of a complete understanding of how information on those platforms is generated, stored and managed.

Bill Tolson:

And I know early on, and I was writing articles about this early on especially with Teams, but also with Wisdom and others. How can you capture that data? Are you capturing all the data objects? Did even your IT organizations have an inkling as to how complex that would be with Teams, for example, there are 10, 12 data objects that are created when a standard chat goes on or a meeting held within the platform, there's sentiment and there's emoji's, and there's uploaded files and shared and private conversations and public conversations.

Bill Tolson:

And within the platform, those things are spread all over the place. And especially early on, very few organizations knew where all that stuff was being captured, for example or generated when an Office 365, how to capture it, how to step retention policies on it. And that's not even mentioning the e-discovery side. If you're under litigation hold and those kinds of things, nobody knew where this data was. So that was an extremely difficult situation. And I think there's still a lot of companies who have not caught up. I know many of the platforms and I know Teams especially has Microsoft has made some valiant attempts to make that data collection more straightforward, a little bit easier. I think they got a long way to go. But I think with all of that said with this move to a remote workforce, whether it's permanent or not, what are the challenges, issues for information governance professionals with this change?

Bill Tolson:

Because they have all kinds of responsibilities. They have their management expecting that they're doing certain things and doing it correctly. And I've talked to many information governance professionals and they all highlight various issues that is giving them difficulty. One of the things I'll bring up later, Mike, and I'll give you a chance in a second. I'm sorry. I'm rambling on, but one of the challenges that we can potentially talk about a little bit later in the podcast is this idea of with data being generated and you're in a remote work environment, whether you're on a VPN or not, all of that data that potentially is being stored, some of it locally on employee machines and so forth, makes it even more difficult to number one for the InfoGov professionals to know that this stuff is being generated, where it's at, who has access to it, and have you lock it down if you need to. What you think about that, Mike?

Mike Salvarezza:

Well, I think we could spend this entire podcast talking about Microsoft Teams and what strategies need to be in place to meet the challenges that it creates, but it's a good proxy for some other problems. I think that Microsoft Teams is an example of a platform that creates or exacerbates the problem of data sprawl that already exists within organizations. Even if you did not have Microsoft Teams in place, even if you did not have the remote workforce trying to figure out how to collaborate this way, you still had the problem of data sprawl in an organization, data being stored in different nooks and crannies of the infrastructure.

Mike Salvarezza:

Microsoft Teams presents a challenge because a lot of the data storage to your point Bill, a lot of the things that get created during a regular usage of Teams, a regular meeting, or whatever it is they're using Teams for, those things are, some of them are new data type for organizations, a lot more video recordings and audio recordings that are as we know a little bit more difficult to search for. But the issue of data sprawl is really exacerbated by Teams because people don't understand very clearly the underpinnings, the technologies that it is riding on top of.

Mike Salvarezza:

So the challenges for organizations to figure out a data management strategy that makes the storage of information that comes out of Teams more clear, I guess, is the right word. And once it's clear, then we can start to figure out how to govern that data. Right now you have organizations that are running Microsoft Teams and they don't really have their head around a one drive strategy or a SharePoint strategy or whatever it is that is underpinning their particular... or they may not have a cloud strategy. So I think the issue with Teams is that it's exacerbating some of the problems that have already existed. The other thing with Teams is that we're in a situation where you can't stop that train. I think any information governance professional that's been around for any length of time knows that there's this constant tension between what the business wants to do and what information governance thinks they can manage.

Mike Salvarezza:

I go back and this is where I will date myself in this. And I've maybe I shouldn't do that in a podcast for the whole world to hear, but go back to the times when text messaging was first emerging as something that people wanted to use. And I remember the battles coming out of the legal department, coming out of the records management group saying, "We can't allow text messaging in the organization." Well, you can't stop that train. We didn't stop that train. Text messaging is now something that everyone does. Those battles are age old. And I think when I say re-imagining IG, we have to get away from those battles. Those battles are never ours to win. The business is always going to win those battles because the business needs to move forward. And with this pandemic and with the rate of change that has happened to accommodate the changes that were incurred because of the pandemic, the business is not going to slow down.

Mike Salvarezza:

The business has to actually accelerate and information governance needs to be part of that accelerant, not an impediment to that acceleration. And that's a real challenge for IG because you don't want an IG organization that just rolls over and says, "Do whatever you want." They need to figure out how to be part of the business, part of an enabler of the business while ensuring that things are governed the right way, but you can't turn around and say, "Stop, don't implement Teams." I was part of a discussion not too long ago with an organization that was debating whether or not to allow third parties or outside people to participate in Teams meetings. And the concern was the discussion of sensitive information with third parties over Teams and the inability to manage what happens to some elements of that information as it goes out into a third parties organization. And the desire to shut down access to third parties was very strong on some people's parts.

Mike Salvarezza:

And that battle lasted all of about five minutes before it was clear that that battle was not to be won. My point is I'm being a little long-winded, but my point is IG needs to get on the bandwagon of helping the business. And in order to do that, we really have to understand these technologies not fight them, we really need to understand them, we need to understand them quickly, and we need to be part of putting a strategy in place that helps those technologies come to life in an organization while we're able to govern the information that they generate.

Bill Tolson:

Obviously, great points there. You mentioned a data sprawl. Just falling back on a story I always remember related to that. And this was probably six, seven, eight years ago. I was part of a e-discovery meeting where opposing counsel was questioning various people within a company. The two companies were suing each other over, I think it was patent infringement. And the opposing counsel was asking the VP of accounting. "Does your department do your employees utilize any kind of, for example, instant messaging?" And before the VP of accounting could answer, the company's lawyer I think was actually the GC basically piped up and said, "No, that's impossible. We have a rule that basically says that instant messaging and other types of that kind of collaboration application cannot be used within the company." And even before he actually ended his sentence, the VP of accounting sheepishly said, "Well, yes, many of them use Yahoo instant Messenger."

Bill Tolson:

And did you see just look at the VP of accounting and with an extremely dissatisfied face. And when asked how that was possible, she says, "The only way we can get stuff done in our schedule." So yeah, many of the people have installed their own Yahoo Instant Messenger within the company's enterprise. And they use it all the time. And the next question from the opposing counsel was, "Did you place a litigation or did you start collecting all that data?" And the answer was no, obviously. So that caused some question, that caused some issues, obviously going on for a long time to come. But I think you also might get into the whole idea of human nature. Humans are going to move towards those solutions that benefit them in their daily working environment unless there is an ongoing enforcement of those things with actual punitive results, employees are going to do what they're going to do and it's up to IT and it's up to legal and it's up to the InfoGov people to what's being used and why, and adapt to that so that you can capture that data in archiving if you should, or if you can apply litigation holds on those things.

Bill Tolson:

I think, especially with information governance, people working with IT and legal, they should all be co-equals in figuring out what those processes technologies and so forth should be. I mean, one of the things, and again, going back to the data sprawl Mike, Archive360 deals with a lot of large state and federal agencies. And with both of those, with the move to mostly remote workforces, the issue of responding to Freedom of Information Act requests have become much more difficult. We've had many, many, many federal agencies, as well as state agencies coming to us saying, data is all over the place now it's not just sitting in the enterprise, it's not sitting on just the email server that one of our people can go on and do a search on it's all over the place.

Bill Tolson:

And what do we do if you can't respond to a FOIA request within the laws stated time, then some of those FOIA request are going to turn into litigation. And we're seeing a lot of that too. So the whole idea of the workforce, where you want to workforce is almost the definition of data sprawl and that it is just everywhere now. And it's very difficult for especially many of these agencies don't have the biggest IT budgets in the world. So it's always secondary or a third level of priority to actually get control of their information.

Bill Tolson:

But the whole idea of you bringing up Mike, data sprawl is the crux of the problem. What data should be managed with the current circumstances, how can it be managed? And again, I think we've talked about this before, and I might've mentioned it five minutes ago, but the idea of what data within an organization, even with the remote workforce out the window, what data should be actively managed by information governance professionals? Is it only records or is it all the data, and how do you do that?

Mike Salvarezza:

Yeah. So I'll leave the how do you do that to you Bill, and your company, but my feeling on this is this. I think that there are certain reasons why you want to pay attention to formal records in your organization. And so you have to manage those formal records. And those formal records, as we all know, are a limited, very limited subset of all the information in an organization. And we all know that when it comes to e-discovery, the universe of applicable information suddenly becomes everything. So to answer your question, I think the context matters in terms of what it is you should be managing and governing. And I think that you need to manage it all because you can't predict what that context is. It could be a privacy requests coming in from the EU, for some piece of data in somebody's email somewhere.

Mike Salvarezza:

It could be a FOIA request as you said, it could be a tax audit, it could be something as formal as that, or as something as informal as we're doing discovery for an anticipated litigation about the firing of an employee. And what was said between these two people over here about that employee. So I think you have to manage all of it. The how to do that is the challenge. And so when I think about re-imagining information governance, I think we have to get quickly away from any notion, any notion that we think that people can do this. I think we have to quickly get away, certainly get away from the notion that the employees, the workforce should be tasked with managing their records or managing their information according to whatever governance constraints we want to put in place.

Mike Salvarezza:

They need to do their jobs, they need to do their business. They don't wake up in the morning to be a records manager. They wake up in the morning to be a sales executive or whatever it is their role is. And I don't think it's humanly possible to manage the volumes of data. And now with the pandemic and the new collaboration platforms, I don't think it's humanly possible to manage the rapidly evolving sources of information. That leads me to technology, that leads me to things like machine learning and artificial intelligence engines. So when I think of information governance in the future, I think information governance will largely rest on the abilities of these engines to do these governance functions. Because I don't believe that it's humanly possible to achieve all the things that we need to achieve manually.

Bill Tolson:

Yeah, absolutely agree with you on that. I've been looking at this very specific topic for decades now. And one of the biggest issues that I've seen in the idea of managing all data, not just the five or 10% that happens to be records is cultural in a lot of cases. You'll walk into high-tech companies. And when I was consulting and going in and talking to companies in general about how did they manage your information? Did they have records policies? How did they capture data and so forth? In many cases, and it's still this case because I still ask about it. It's this idea that the organization that I'm talking to at the time basically looks at all of that data that an end-user receives and creates and uses and shares as their own personal data.

Bill Tolson:

And they're sure there are records that because of compliance reasons have to be captured and protected and all kinds of other stuff, but all of that other stuff, that's the employees issue. And whether they think it rises to the need to keep or delete or whatever is all on the employee. In fact, I've never been in a company that has even brought up the subject of GI that information. And I've written articles on the idea that companies employ people to create and ingest information. And that information is then used to create products and design new things and all kinds of neat stuff. But very few companies actually attempt to even know what information their employees have. And like you said, it was a great point with all the new privacy regulations.

Bill Tolson:

I'll just throw a number out there, if 80% of all of the data, all the electronic data in our organization is maintained and controlled directly by individual employees, then if you get a right to be forgotten request, how do you know what the employees have on their own individual laptops? If you don't have access to those laptops, if they're not syncing and you can search them and all those kinds of things. The ability to ensure that you've carried out the right to be forgotten request is impossible. And if you can't do it by the way, the potential fines can be large, can be huge. But the idea of I think, like you say, all of that data that employees control companies need to change their overall cultural understanding of that. It's their data. I shouldn't be sitting on three terabytes of data that the company knows nothing about it should be synced via the enterprise and so forth.

Bill Tolson:

And then, like you say, it's physically, I think impossible, like you did say for an individual employee to deal with 5,200, 500 gigabytes or megabytes of data on a daily basis, and what do we do with it? And that's where I think the only potential solution, and you mentioned this was the idea of machine learning and AI to look at that. But the first step is to say, we need to set up mechanisms that gives the enterprise the ability to collect that data. And number one, know what's there and be able to manage it, apply retention policies on it, be able to apply litigation hold and set those systems in place that at least allow that connection. So you know you can get to that data and then rely on machine learning and AI to go out and index that data, understand that data, apply retention, disposition on it, all kinds of neat things.

Bill Tolson:

And I think that is the only possible solution once those organizations get to that point where they say, "Yes, we have to manage it all. Not just those odd records that some agency is going to threaten us over, but everything." Because with the privacy regulations and various other regulations companies are in huge jeopardy, if they're not going to manage that data.

Mike Salvarezza:

I think that's right. And I want to be clear, a lot of times people that I talked to at the MER of course we are a conference and an organization focused on bringing content around this to the audience that we deal with. And so whether it's webinars or the conference or other things. So we talk with a lot of people and there's often what I've seen is a concern, especially from people that are traditional records managers or people who have grown up in that space feeling as if the records management discipline is no longer necessary or feeling like they don't have a place or not understanding what their role is, vis-a-vis information governance.

Mike Salvarezza:

And I think that everything that you just said, Bill is correct. Everything that I said is how I feel, but that doesn't mean that there isn't a very important role for the records manager. It's just that the records manager needs to think bigger. It's not about just securing these one or two documents that relate to this one particular regulation. It's about helping the organization understand where all of it's data is. And again, I think automated tools are the only way to do that.

Bill Tolson:

And to help derive value from all of that data. There's a lot of good stuff in there, one very short story, probably five years ago, six years ago at the most while consulting, I was in a very large organization. And we were having a meeting with the legal department, the records department, and IT. And there were probably 30 people in the room. The VP of records was there, the GC and all his staff were there, IT and all that kind of stuff. And they proceeded, the IT and GC started... Legal folks proceeded to start complaining about that darn, file server that everybody knew about that had 700 terabytes worth of data on it. And the fact that nothing on it was being managed so that every time any e-discovery request came in, they had to go through and research it.

Bill Tolson:

And they were paying consultants to do that. And it was costing them millions of dollars per year, because they've never gotten to the point of actually managing the data and both the legal department and the IT department looked at the VP of records and said, "Why don't you have control of this?" And the VP of records looked at everybody and said, "We don't have any CSO over data on file servers and so forth." And the room got loud and well, why not? And the VP of records said, "Basically we've put out a direct," they're told everybody in the organization that, "Records cannot be stored on file servers. They have to go into the records management system. Therefore, there's nothing on those 700 terabytes that has anything to do with records. So we don't have any CSO over it."

Bill Tolson:

And obviously the meeting got very loud after that. And I'm not blaming the records people, that was part of the organizational culture that they put out a direct, doesn't say, "Do not put records on that." And records management only cares about records. Therefore, all this other stuff is none of our business and we don't care. And I have noticed not that specific organization, but I've noticed that's slightly changed.

Mike Salvarezza:

I think that is changing. And yeah, I think that that's a very good story and a very good example of that sort of limiting thinking on both sides. I think to go back to your story, the organization defined that only records go in the record system, and that's all we care about. The records manager then went along with that and I think the records manager needs to, and this is where information governance, I'm not trying to conflict the two, but information governance needs to essentially take a leadership role to say, "No, that's not really sufficient."

Bill Tolson:

Yeah, no, absolutely. I absolutely agree with you progressing from the old, well, I hate to say old, but the dated records management category of professionals to more of an information governance and everything else that equates brings up another question. And it just relates back to the whole idea of remote workforce as well. But with cyber threats and ransomware and extortionware and all of this stuff going notch, it's putting more of a security, both infrastructure and data security requirements on organizations and information governance professionals are working by definition of what they're supposed to be doing with a lot of this data. So personally, I think it's realistic and probably required for InfoGov professionals to become, I wouldn't say much more knowledgeable, but more knowledgeable on data security because they're going to be working with it and interfacing with it on a daily basis. What do you think about the need for InfoGov professionals to be coming up, the learning curve more on overall infrastructure and data security?

Mike Salvarezza:

Let me answer that with an analogy first, and then I'll get a little bit more deeper. I think the best analogy to view what an information governance director, a chief information governance officer, or whatever title you want to give that person is they are very much akin to the conductor of an orchestra. They don't necessarily need to know how to play the violin or the oboe, but they need to extract the best from the violin and from the oboe. And they need to know when those two instruments need to play, whatever it is they need to play to produce the symphony. In the world of information governance. I think cybersecurity is fast becoming the most significant threat, the most significant concern, even more than privacy. I think privacy is there today. But I think it's now even moving past that, it's cybersecurity.

Mike Salvarezza:

For an information governance professional to be successful, that person needs to understand why cybersecurity is important, needs to understand at a higher level, what a cybersecurity program should look like and needs to be able to integrate that into the overall information governance program. Doesn't mean that they need to know how to go down and sit down in the data center or to configure a firewall, but they need to know what a firewall is and they need to know how to create and work with a cybersecurity professionals to create a policy structure that articulates a secure environment.

Mike Salvarezza:

Do you grant access based on the principle of least privilege? How do you deal with third parties? Do you shut down the USB drives on laptops through a policy? There were things that have to happen. And in order for an information governance professional to make sure that the information that they are looking after is secured, they need to have a very tight relationship with the cybersecurity people in their organization, because the information governance professional is not a cybersecurity expert. The information security person is. So they need to be able to forge a relationship and grab that person and make them part of the program. That's how I see it.

Bill Tolson:

That's an excellent point. And for information governance people, they need to come up to speed with and understand the use of specific data masking, bank numbers within any document are going to be masked, anonymized, pseudo anonymized, encrypted, whatever it happens to be because number one, because of the privacy implications and so forth. But who in the company, who in the information governance department needs to be able to see that stuff and who doesn't? There are very few people in a company outside of maybe accounting, that needs to seek bank numbers or credit card numbers or anything like that. But that stuff is all over information floating around in organizations. And as we talked about machine learning and AI, systems will start or now have already started recognizing and masking that stuff.

Bill Tolson:

So information, governance professionals, information governance employees the people in that department, are basically having to deal with sensitive data, or at least work with files with sensitive data in it now on a daily basis, especially with the privacy regulations, who? The VP of information governance or whatever title they're using, they need to have input as to who in their department needs to be able to see that sensitive information because with the adoption of machine learning and AI, systems now are automatically going to be recognizing that sensitive data within any document, email, chat, whatever it happens to be. And masking that, running data masking routines on it, anonymizing it, encrypting it, whatever.

Bill Tolson:

And nowadays a long with that system capability to recognize that data and mask it, there's also the need to have things like we've talked about role-based access controls. Who within the organization will the system automatically unmask that data for them to see? And it now needs to be done automatically. And it needs to be done in the background. As I pull up a file that I need to work with, it needs to know, "Should I have access to that sensitive data?" And then automatically demask it. And that is becoming again with the privacy regulations and the huge fines and with cyber and ransomware and extortionware and all that kind of stuff, we've moved from the need to do infrastructure or enterprise security. Gee, I'm going to work like crazy to make sure there's wrong people don't get in the system.

Bill Tolson:

But after that, yeah, they have access to everything. That's gone by the wayside that can't happen anymore with the Capital One, AWS, privilege escalation attack of last year with the phishing attempts. You send an email to any employee and if they click on the wrong link, you just basically bypass all of your enterprise security. So getting down into individual file data security, I think is the next frontier that we're all starting to work on and offer. And that gets back to should Mike access to sensitive data when he pulls up file? Should Bill not have access to it? And that needs to be done automatically and very, very quickly, because again, like we both said, over the talk we've been having, there is so much data now that it's humanly impossible for anybody to work on this stuff individually, whether you're IT or an individual employee.

Bill Tolson:

So it needs to be pretty much bulletproof, but it needs to be automatic and very, very, very fast. And that's why based on the original question of do information governance professionals need to be coming up more to speed? And not that they're not by the way, I know many of them are. On the idea of at least the principles of security and hopefully in many organizations, if not all organizations, are they working with the security people? Are they working with IT to make sure that number one, the right technology is being employed, but also the right authorizations are being included in this stuff as well.

Mike Salvarezza:

I think all of that is absolutely spot on. And I would agree with all of it. And again, back to the theme that you put out for this podcast of re-imagining IG, there's even more to it than that. And some of it is less technical than what you're suggesting. So on the subject of phishing as an example. Phishing, these phishing attacks have become so sophisticated, it's really hard. It's really hard to not click because it really looks bonafide. It looks inviting, whatever it may be. So what's the degree of education that IG is putting out there to the organization around phishing? You can run mock phishing exercises across your organization. You can put in a training infrastructure that sends out a mock phishing attack, and you can track who fell for it.

Mike Salvarezza:

And then they can get remedial training. There's a lot that you can do that's not even technical that will go a long ways towards strengthening your posture as an organization. And this is where I think IG has a role. And when I say I'm, re-imagining, it's not just how do I manage that record? Or how do I mask that information? It's all of it. And it goes to education. How do you lead the organization in a way that helps build a culture of security and a culture of governance? Well, the information governance professional can do that in a number of ways, training and communication is a part of it. And that requires some leadership.

Bill Tolson:

Yeah. Great point. And the idea of ongoing training is very important. We do that. In fact, it was, I wouldn't say funny. It was actually disturbing. I was going through a phishing training course. I think it was a last week or beginning of this week. And as I was actually going through and taking the quizzes and stuff, I got an email from my VPN provider that I do on my own personally. And it basically said, "Gee, we're really sorry, but your auto renewal has been damaged and you need to re-put in your credit card number." It's like, "Oh, okay. Sure." First thing I did was look at the URL, look at the email URL. And it was actually from, they had mimicked that. Usually, you could tell very quickly if the email is some weird email address with a.gmail at the end, obviously it didn't come from that, but this was very well done.

Bill Tolson:

And not that I'm talking them up, but even worse, two hours later, I got another email from supposedly this VPN provider saying, "Hey, we're sorry. We don't know what happened, that wasn't us. But to make things right, we're going to give you a discount, but you need to re-put your credit card number back into the system." And I was like, "Wow, these guys are really working for it." It was almost a little scary because the standards things that I had always been taught is, look at the email address. You can go deeper in and look at the very servers has gone through, but I think we're alluding to here, Mike, every employee needs to be very cognizant of that because it's some of these phishing campaigns now are so, so well done that even the best of us will fall prey to it. And that can destroy a great deal of work and really, really screw up a company badly. But both in lawsuits and regulatory fines but shareholder equity, brand, all of that stuff. I mean-

Mike Salvarezza:

All of it.

Bill Tolson:

... it gets really bad. So information governance professionals need to be a key member of that team and help drive those things. And I would suspect Mike, that MER is probably on top of that already and probably already offering training and maybe even certifications around that for InfoGov vehicle.

Mike Salvarezza:

Yeah, well, we don't do certifications, but we certainly bring the certification agencies to the conference and to the MER experience. But again, the role of the information governance professional is really about this governance of information. And it's not just about where is it stored and how am I preserving it? It's all of these dimensions, these things that you're talking about, Bill, the ransomware attacks that come in, the cybersecurity posture, the privacy posture. I would ask a question is that the information governance professional's responsibility to be cognizant of the data center, patching strategy, the software patching strategy across the organization? Should they be part of the conversation around how servers and things are patched or do they leave it up to the IT group?

Mike Salvarezza:

I would postulate that the information governance professional has a strong interest in that. So I'm trying to use these examples just to show that the information governance profession needs to take a much broader view and think of it holistically, all of these things that we're talking about, whether it's data center, operations, privacy, cybersecurity, e-discovery, training, and education, records management, And on and on. Data sprawl, data minimization, all the things that you'd be concerned with. If you're not looking at it holistically as one ecosystem, then you're not going to be successful.

Bill Tolson:

Yes. A great point. And I know we're running up near where are we going to need to cut it off here, Mike. But one last topic that I wanted to at least mention, that's really in the area of information governance with e-discovery litigation support and I'm sure you had same experience and probably have the same opinions as well. But affective information governance is really the key to ensuring a complete and lowest cost e-discovery process. And that's why on the electronic discovery reference model, information governance is that main point off on the left-hand side that says, You have to have control of your data to be able to do e-discovery correctly and at the lowest possible cost." I assume, Mike, you agree with that?

Mike Salvarezza:

I do, I do agree with that.

Bill Tolson:

Okay.

Mike Salvarezza:

But what I would say if we're having honest conversations with ourselves as professionals, if you're an IG person sitting in any given company and you're dealing with COVID, and you're dealing with the workplace being spread around remotely now, maybe now it's shifting to everyone can work from wherever they are. If you ask yourself an honest question, "Do I really have control over my information? Do I really, really know where all that information is?" Answer that question honestly. And you might be surprised at the answer.

Bill Tolson:

Yeah. That's a great level setting question that I think many people need to understand, and it really gets down with all of the stuff we've talked about, not just records management and information governance, but privacy being able to respond to privacy requests, e-discovery so forth. You have to know what data you have because you can't fully react, unless you know what you have. One point I always like to mention, and that's the DuPont case, because it's so straightforward in this. And it ties records management, information management and e-discovery together and I'll just very quickly go through it. So I think it was back in 1999 or 2000 DuPont, very large chemical manufacturing company, lots and lots of lawsuits every year like many large companies. They relooked at nine cases, nine lawsuits and the e-discovery involved in those nine cases.

Bill Tolson:

And going back and let me get those nine cases. They determined that they had reviewed a total of 75,450,000 pages of content in response to an e-discovery request across those nine, thanks. A total of 11,000 or 11 million pages or there thereabouts, turned out to be responsive to the case. So 11 million out of 75 million. DuPont also looked at the status of the 75 million pages of content to determine the status of their records management process. And I found that approximately 50% of those 75 million pages of content were beyond their documented retention period and should have been destroyed well before. So they ended up basically having to review page by page, 37 million pages of documents that should not have existed anymore. They calculated, they spent almost $12 million for reviewing those 37 million pages of documents that should not have existed. So they actually spent about $12 million because the data that they had marked, the files that they had marked as being expired, wasn't actually gotten rid of. And in discovery, like, you know Mike, anything is discoverable if it exists.

Mike Salvarezza:

If it exists.

Bill Tolson:

You can't say, "Well, gee that's expired. We don't have to show it to you." No, if it exists anywhere, the discovery has to go find it and has to spend the money to review it, to determine whether it's discoverable or not. And that's where information governance comes in with e-discovery. And I've done podcasts on this. I know Mike, we've talked about this and you've written stuff around it. The whole idea of data minimization, data defensible disposition. Get rid of stuff you no longer wait. That's part of the information governance process as well.

Mike Salvarezza:

Right. Well, I think the paradigm has shifted and again, re-imagining IG. I think the paradigm has shifted. It used to be that you would be afraid that you would get in trouble for not having something that you should have.

Bill Tolson:

Yes.

Mike Salvarezza:

And the paradigm has shifted now, it's more likely that you're going to get in trouble for having something that you shouldn't have.

Bill Tolson:

That's smoking gun will emerge.

Mike Salvarezza:

And I think that's a paradigm shift again, back to how do you look at the governance of information in your organization? Data minimization is a big part of it.

Bill Tolson:

Yeah. And that's a big point. I have discussions with potential clients with is data archiving is not capturing data and keeping it forever. It's managing it. And that includes defensible disposition, getting rid of stuff that you don't have to keep by law. There's no regulatory reason to keep it, and there's no value to it, to the business anymore. Get rid of it. And I know everybody in the information governance community understands that and I would assume agrees with it. So with that, Mike, I think that wraps up this edition of The Information Management 360 Podcast. I really want to thank you for this really insightful and enjoyable discussion on this timely subject and the changing information governance environment. I think we got into some points that, or really above and beyond, and I really got a lot out of it.

Mike Salvarezza:

Well, thank you Bill, thanks for having me. I really-

Bill Tolson:

Yeah, no. That was great, Mike. It great discussion. So if anyone has questions on this topic or would like to talk to a subject matter expert, please send an email to Archive360, mentioning this podcast to info@archive360.com and we'll get back to you just as soon as possible. Mike, do you want to also give a channel that they can communicate and send questions to you at?

Mike Salvarezza:

Certainly if you want to learn more about the MER Conference or MER in general, go to merconference.com and there are contact points on that website. And if you want to reach me, you can reach me through merconference.com.

Bill Tolson:

And keep looking at the MER organization. I with Archive360, we'll be doing a webinar for MER. I think at the end of this month, Mike, we will put links and announcements on our page. So you can sign up for it. Also check back with us on the Archive360 resources page for new podcasts with leading industry experts like Mike on a regular basis. And with that, we will close it out again. Thank you very much, Mike. It was fantastic. Look forward to more.

Mike Salvarezza:

Thank you.