Last month’s Master’s Conference in London included presentations and discussions on issues relevant to electronic discovery, including artificial intelligence and different jurisdictions’ legislative and regulatory responses to that new technology, project management and legal operations issues, document review platforms, cross-border discovery, information governance, and data privacy. During these discussions, participants noted that the factors compelling organizations to improve their information governance and records management practices have changed over time.
Since its inception, one of the primary objectives of information governance has been the reduction of risks and costs associated with keeping records and data longer than necessary for business and legal compliance purposes. As organizations began generating, storing, and accumulating massive amounts of electronic records and data, they were motivated to adopt effective information governance practices in order to address the new costs and burdens associated with this influx of information. In essence, more data resulted in increased overhead expenses for data storage, more time spent by employees sifting through electronic records, and a greater need for oversight, organization, and control. Information governance, therefore, was seen by many organizations as a means of managing these costs and needs.
Over time, technological innovations caused data storage and management to be cheaper and more efficient, which made it easier for organizations to manage large volumes of data. However, information governance retained considerable value for organizations seeking to limit risks and costs associated with electronic discovery in litigation and other legal proceedings. In particular, significant sanctions for spoliation and heightened costs associated with e-discovery efforts involving large volumes of electronic records and data spurred many organizations toward more effective information governance practices as a means of controlling these risks and costs.
Perhaps even more than e-discovery risks and costs, data privacy concerns have highlighted to many organizations the need for comprehensive information governance practices with a focus on data flows and controls. The European Union’s adoption of the General Data Protection Regulation (“GDPR”) and other jurisdictions’ implementation of data privacy and protection laws have created additional pressures on organizations to document and refine their methods of managing, processing, storing, and transferring information.
Increasingly, though, organizational leaders are seeing cyber-attacks and data breaches as the foremost driver of information governance improvements. Such attacks and breaches have become far more common in recent years, and many organizations have already addressed a potential or actual data breach event in some way. Also, organizations are finding that the costs associated with remediating a data breach, complying with data breach notification requirements, dealing with related threat actors, and absorbing negative consequences to their reputations are substantial and, in fact, increasing.
What might be the results of this shift in factors motivating information governance? First, organizations are prioritizing information governance efforts related to their most sensitive data. For instance, electronic records containing personally-identifying information of their employees and customers are often among the first sets of data that organizations are targeting with improved information governance practices. Likewise, information that is sensitive in light of business relationships (such as confidential information subject to non-disclosure agreements among business partners) and/or regulatory requirements (such as technical information subject to export control regulations) are also often priorities for attention under updated information governance practices.
Many are excited to see what new functionalities artificial intelligence may offer in the realm of information governance. With its new driving factors of data privacy and data breaches, organizations implementing new or updated information governance practices might find considerable utility in artificial intelligence tools that automatically classify data into categories based on their content, that associate retention and access restriction practices on the basis of those classifications, that provide for automated workflows to dispose of data unnecessary to the organization’s business and legal compliance needs, and that quickly disable access to certain data in light of pre-defined triggering events.