For leaders and counsel in many organizations, the word “cybersecurity” typically triggers concerns about the IT department, conjuring images of hackers and requiring unfamiliar terminology such as “firewalls” and “encryption.” However, at its essence, cybersecurity is an information governance issue: it affects an organization’s most valuable assets, including financial data, employee and customer records, and intellectual property.
If the Target data breach was not motivation enough to focus on this issue, organizations should recognize the current administration’s emphasis on cybersecurity, beginning with President Obama’s 2013 Executive Order on Improving Critical Infrastructure Cybersecurity. Since then, a number of government agencies have begun to study cybersecurity more closely. Consider the agencies that have already taken steps in 2014:
- In January, the Financial Industry Regulatory Authority issued a Targeted Examination Letter on cybersecurity announcing its intent to assess firms’ “approaches to managing cyber-security threats.”
- In February, the National Institute of Standards and Technology released the Framework for Improving Critical Infrastructure Cybersecurity, designed to serve as standards for helping organizations cost-effectively manage cyber risk.
- In February, the U.S. Commodity Futures Trading Commission issued a list of Gramm-Leach-Bliley Act Security Safeguards that require covered entities to “develop, implement and maintain a written information security and privacy program.”
- This week, the Securities and Exchange Commission is hosting a cybersecurity roundtable; in January, it published examination priorities that included information security.
The best practices recommended by these agencies include written information security and privacy programs, risk assessment protocols, business continuity plans, disclosure processes, and training procedures. They also recommend regular evaluation of third parties responsible for storing the organization’s data.
Before organizations can comply with these agency recommendations—which are likely to become a measuring stick for compliance in the future—they must inventory their information and determine what types of data they own, where that data resides, and what format it is stored in. But today’s information volumes make reviewing every document, or even spot-checking certain repositories of documents, impractical and ineffective. To simplify this daunting task, organizations should use analytical tools, including technology-assisted review (TAR). For instance, TAR can catalog information and sort it into relevant buckets for storage, facilitating the process of keeping accurate records of data. In addition, TAR can identify legacy data or data that is ripe for deletion under a records retention program, particularly e-mails—and it is much more accurate and consistent than allocating this task to human reviewers, whose subjective review of content may lead to differing retention decisions.
In short, using discovery tools such as TAR for information governance purposes can not only save organizations time in implementing information security protocols, but it can maximize resources by limiting the overpreservation of unnecessary information, and the proactive categorization of information can improve preparation for litigation.
About the Author