Follow Us Subscribers SAVE 30%

Call 855-808-4530 or email to receive your discount on a new subscription.

Commercial Law Technology Media and Telecom

Data Breach Prevention and Information Governance Go Hand-In-Hand

Information governance has a wide range of varying definitions, depending on whom you ask. Some consider it to be an amorphous collection of policies that are difficult to translate into the real world. Others view it as a holistic strategy document, or a series of discrete, tactical projects that implement best practices in data security or storage optimization.


Thank you for sharing!

Your article was successfully shared with the contacts you provided.

Information governance (IG) has a wide range of varying definitions, depending on whom you ask. Some consider it to be an amorphous collection of policies that are difficult to translate into the real world. Others view it as a holistic strategy document, or a series of discrete, tactical projects that implement best practices in data security or storage optimization.

Organizations struggle with the notion of information governance for a variety of reasons. Some lack the executive support necessary to get programs off the ground, while others feel hampered from executing on small, tactical projects due to their legal or regulatory profile. Equally confusing is the purpose of IG ‘ whether it is intended to reduce storage costs, improve e-discovery or impact corporate risk and security.

When executed well, IG can accomplish all of these things and more. But one of its most meaningful results is the differentiation of data types and stronger security protocols around a corporation’s most sensitive data. Because not all enterprise data is created equal, different data requires differing levels of protection. As we’ve learned from the long list of publicized data breaches, there is an increasing need for companies to get smarter about locating, organizing and securing their truly sensitive data.

For the vast majority of organizations, progress on this front is gradual. This was illustrated in a recent study of in-house lawyers, examining the health and success of IG programs within Fortune 1000 corporations, which found that most are in the early stages of IG adoption. In the study, data security was the top recurring theme across responses when participants were asked about IG drivers within their organization. And while 76% of respondents confirmed they have IG programs within their organization, there were more than 30 areas of focus listed.

Regarding data security efforts, many corporate teams agree that initiatives can be parsed into four key areas: 1) securing sensitive personally identifiable information for clients, patients and employees; 2) securing sensitive company intellectual property; 3) creating a tiered security network to protect against security breaches; and 4) developing protocols and systems to ensure secure access to the network for partners and other approved third parties. Addressing each of these buckets with focused projects helps protect the organization’s data from internal and external threats and makes it easier to tackle the seemingly insurmountable task of arming the company against a data breach.

Common Roadblocks

It is first helpful to understand the top challenges teams face when working toward IG programs.

Work Styles and New Technology

For many companies, the main challenge is that employees are working and collaborating in new ways that are enabled by the proliferation of cloud-based applications. In the study mentioned above, nearly a third of respondents indicated this as a roadblock, and cited that the wide variety of collaborative tools and mobile devices combined with the lack of employee awareness to sensitive information has made the prospect of controlling where data is shared increasingly complicated. Employee conduct comes into play with this issue, and the lack of control points to the need for processes and training that would help prevent employees from making poor information management decisions.

Identifying a Starting Point

Organizational structure is often mentioned as a barrier because various parts of a company are responsible for different elements of information governance. Because IG involvement ranges from legal and IT to risk, records management and security, corporations find it daunting to prioritize which areas need attention first. If the scope of the project is too huge, it can and will fall under the weight of itself.

Big Data

There are countless software systems ‘ both legacy and new ‘ and many needs for information stored in many different places and ways, making cohesive IG difficult. Further, organizations are trying to manage rapidly evolving data ecosystems that span personal computers, mobile devices, social media and myriad cloud-based collaboration tools. Legacy data is difficult to store and retrieve, but may still be relevant for existing legal hold or other uses. This, combined with increasing data volumes and BYOD (bring your own device) work environments, produces a level of disorganized complexity that causes confusion and security risk.

Human and Financial Capital

In the study mentioned above, 25% of respondents noted lack of resources as a key challenge for IG. For some, it was a matter of mere headcount to get the job done. Many worried about the fact that IG is an initiative that should include collaboration across teams within various functions, from IT and records management to legal and the lines of business. This fact, combined with difficulty in securing buy-in from key stakeholders, can hinder an IG initiative from the start. For the handful of companies with resources solely dedicated to IG, the average number of staff is four, and budgets ranged from $200,000 to $20 million among the companies that were able to quantify their IG spend. Most companies do have at least one in-house person handling IG, but these roles typically span a range of other areas as well.

Tips for Success and Added Benefits

Overcoming the challenges outlined above is realistic, and many corporations are seeing success. Following the key principle of “don’t let perfect be the enemy of good,” will guide teams toward a step-by-step approach that focuses on the basics. By basing programs on key business requirements, projects will be more likely to come to completion and have tangible results. Additional tips for successfully getting IG off the ground include:

Ultimately, IG programs can help corporations identify their most at-risk datasets, reduce them compliantly and add security protocols to protect against a data breach. The benefits of these efforts are far reaching, although can be difficult to quantify. Beyond avoidance of severe financial implications brought on by a data breach, corporations that get it right achieve reputational savings and keep their brand image intact. Additionally, IG initiatives often involve internal education and awareness, which helps employees understand the company’s security responsibilities and goals, and their role in maintaining sound IG.

While many describe their IG programs as nascent, with broad policies still in the works, focused, tactical projects are offering benefits. Among these are reduced storage costs resulting from maintaining data deletion practices and improved e-discovery processes. Streamlined legal hold and information collection and reduced data sets are common outcomes of IG work, and can significantly improve e-discovery efficiency.


In total, information governance is still a relatively new concept, and while it poses a number of challenges ‘ spanning technology, processes and culture ‘ it is providing early adopters with some key advantages. By understanding the basic mechanics, corporations can better outline programs that make sense given their needs and regulatory profiles. With the risks of today, and the commonality of cyber attacks, security should be at the heart of all IG projects. Identifying and mitigating sensitive data repositories are only effective if a company is then ready to do what it takes to protect that key information.

Jake Frazier is a senior managing director at FTI Consulting, based in Houston. A member of our Board of Editors, he heads the information governance and compliance practice‘in the technology segment. Frazier assists legal, records, information technology and information security departments identify, develop, evaluate and implement in-house electronic discovery and information governance processes, programs and solutions. These solutions are designed to produce the largest return on investment while simultaneously reducing risk. Frazier is a founding member of the Electronic Discovery Reference Model and is also a member of the Sedona Conference.

The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.

Read These Next