Search Results

AI Inventory: Foundation for Governing AI Usage In today's digital age, understanding where your AI operates is almost as crucial as knowing your customers’ wants and needs—both are drivers of success. In the past decade, we have seen Artificial Intelligence (AI) revolutionize businesses by driving data-driven decision-making, automating tasks, personalizing customer interactions, and unlocking many other innovative opportunities. To maintain competitiveness, businesses are compelled to leverage AI to advance their operations. Whether internally developed, integrated into Software-as-a-Service (SaaS) solutions, or procured as customizable tools, AI impacts almost every facet of an organization. Unfortunately, AI often infiltrates organizations through various channels, and awareness of its presence is not always guaranteed. For example, when licensing a SaaS platform for customer helpdesk management tasks, AI functionalities are likely embedded within the software. Similarly, employees may utilize AI tools such as ChatGPT, an open-source AI tool accessible through web browsers, for drafting customer communications. Regardless of the entry point of AI into business processes, ensuring its trustworthiness and governance throughout its lifecycle is imperative to build trust with stakeholders, customers, and employees, and to shield the company against potential consequences.  This starts with conducting and maintaining an inventory of the AI use cases. Why the Heightened Focus on Trustworthy AI? AI has existed for decades, but recent developments have propelled it into the spotlight. Advancements in AI technology, including breakthroughs in machine learning, neural networks, and natural language processing, have led to the development of more powerful AI models. These models are now widely deployed and embedded in critical systems such as healthcare, finance, and autonomous vehicles, with the potential to significantly impact lives. Furthermore, AI solutions have become targets for cyberattacks, which are augmented by deepfakes and misinformation that allow cyber criminals in. The heightened scrutiny from the public regarding AI's ethical implications underscores the importance of ensuring trustworthy AI. Any misstep by an AI system can have far-reaching consequences, prompting governments to intervene swiftly. The Rapid Emergence of AI Laws and Regulations Mandating AI Inventories Organizations should govern their use of AI to mitigate risks and ensure compliance with laws and regulations. With AI laws and regulations evolving rapidly, organizations need to stay informed of the latest developments and have the ability to determine if a new law or regulation impacts a currently deployed AI solution. Where are Laws Heading? Let’s discuss where the requirements are heading. The United States Executive Order 13960, Section 5, mandates government agencies inventory AI use cases, promoting the use of trustworthy AI in the federal government. President Biden's Executive Order 14110, signed in 2023, further emphasized the importance of safe, secure, and trustworthy AI development, requiring federal agencies to make their AI use cases publicly available. Even though Executive Orders 13960 and 14110 apply to Federal government agencies, organizations can anticipate it will likely be coming to the private sector soon. Similarly, the recent adapted EU AI Act imposes obligations on AI systems based on their potential risks and level of impact, likely supported by maintaining inventories of AI use cases. States like Colorado have passed AI Acts.  Colorado’s AI Regulation 10-1-1, mandates documented up-to-date AI inventories for the life insurance industry, with plans to expand to other sectors in the future.  Several more states are working on AI governance bills. To view a consolidated list of what countries are working at it relates to AI governance, check out the Global AI Law and Policy Tracker that the IAPP organization maintains. An AI Inventory is The Foundation of Governing and Complying with Laws and Regulations Organizations may be well served by requiring that all AI use cases be inventoried or identified and reported to a central entity within the company before implementation. Inventorying AI use cases offers numerous benefits and serves as the foundational step in effectively mitigating risks and governing their use. It provides organizations with a comprehensive understanding of their AI landscape, including the types of AI technologies deployed, their respective functionalities, and their integration into various business processes. This knowledge enables companies to identify potential vulnerabilities, assess risks, and implement targeted risk mitigation strategies. Additionally, by maintaining an inventory of AI systems or use cases, organizations can monitor compliance with evolving regulatory requirements and industry standards. This proactive approach not only minimizes liabilities but also enhances trust and credibility with stakeholders and the public. Furthermore, an AI inventory facilitates transparency and accountability in AI governance, as it enables organizations to track the performance, usage, and impact of AI systems over time. By establishing clear oversight mechanisms and protocols for developing, implementing, monitoring, and evaluating AI deployments, companies can effectively govern their use, promote responsible AI practices, and uphold ethical standards. And it can be anticipated that more laws and regulations will require an inventory. What Should be Considered as Part of the Inventory Key information about the AI use case should be collected as part of the inventory, including details such as the responsible business unit or department, contact information for technical and business contacts, a description of its use, whether private or involving certain classes of information, the status of the use case (i.e., development, pilot, production, retired), the type of AI technology used (i.e., ML, NLP, etc.), attributes about the training data and source code, third-party involvement, and other pertinent data that would help determine the initial risk level of the AI use case and ongoing governance requirements. Additionally, this inventory can be utilized to support litigation, audits, and investigations, as well as provide a quality check for other compliance programs such as privacy, security, records management and retention, and third-party risk management. Conclusion In conclusion, the convergence of technological progress, societal impact, and ethical considerations has propelled AI trustworthiness to the forefront of discussions. Responsible development and robust safeguards are essential to navigate this new era of AI, beginning with understanding the AI use cases within your company. An AI inventory is not merely a compliance exercise; it is a business benefit. Companies that proactively inventory their AI use cases may gain competitive advantages, mitigate risks, and build public trust. As the private sector follows the lead of governments in investing in AI inventories, it becomes a smart business decision to protect your company. No matter the direction of the law, there are significant business and legal benefits to knowing how you are using AI in your company.

Don’t Be the Executive That Didn’t Provide the Resources and Funding to Keep Retention Policies Current In the relentless surge of data, companies stand at a crossroads. Their once-prized asset—the troves of information collected—now teeters on the precipice of liability. The stakes are high, and the consequences are real. Updating retention policies is no longer a mere administrative chore; it's a strategic imperative. Failure to act transforms data from an enabler to a ticking time bomb. Why Retention Policies Matter More Than Ever Legal Minefields: Privacy laws tighten their grip, demanding meticulous handling of data. Non-compliance isn't just a slap on the wrist; it's a financial guillotine. The GDPR, CCPA, and their global counterparts wield power. Companies must dance to their tune or face the music. But beyond compliance, it's about ethical stewardship—a fiduciary duty to protect the digital legacy. Cyber Shadows: Cyber threats loom larger than ever. Data hoarding—keeping information beyond its useful life—creates vulnerabilities. Breaches aren't just embarrassing; they're business-crippling. Imagine your company's crown jewels exposed due to outdated policies. Technological Whirlwind: AI, IoT, and predictive analytics churn out data like cosmic factories. Retention policies must adapt. Ignoring this is akin to building a house on shifting sands. Management's Ethical Duty: It's not just about compliance; it's about ethics. Management's fiduciary responsibility extends beyond shareholder returns. It's about safeguarding the digital legacy. Predictable data lifecycles ensure responsible stewardship. Business Activities: For many businesses to stay competitive today, they are expanding their activities. Retention policies must have a predictable end-of-life for all data created, used, and managed by the company. Third Parties: Third parties are now routinely part of a company’s data ecosystem. They must understand what is required when handling your data. Why Should the Board and C-Level Executives Care? Strategic Risk: Data retention policies are foundational governance tools. They shape how data flows through the organization. The Board and C-level executives should view them as strategic risk mitigators. Outdated policies expose the company to legal, financial, and reputational risks. Ethical Imperative: As custodians of the company's destiny, leaders bear an ethical responsibility. Data isn't just 1's and 0's; it's people's lives, aspirations, and trust. Updating retention policies reflects a commitment to ethical data management. Resource Allocation: Funding retention policies often take a back seat. But consider this: inadequate policies drain resources. Legal battles, data breaches, and lost opportunities cost far more than proactive policy updates. Privacy and Cyber Risk Profiles: Retention policies should be woven into privacy and cyber risk profiles. They're not standalone documents; they're the backbone of data governance. So, leaders, take heed. The data you hold isn't static; it's pulsating with potential and peril. Updating retention policies isn't an administrative chore anymore—it's foundational governance for the data's lifecycle.

In an era where remote work has become the norm, corporations must confront a new and ominous reality: the surge in insider threats stemming from the challenges of the remote work landscape. In this thought-provoking blog post, we will explore the unsettling statistics and trends that emerged in 2022, which should send a shiver down the spine of any organization concerned about safeguarding its sensitive data. The Location Barrier Shattered The transition to remote work has shattered the traditional location barrier that once confined employees within the four walls of the office. With this newfound freedom, employees are now able to work from virtually anywhere, but at what cost? Shockingly, in 2022, a staggering 12% of employees departed their organizations with invaluable assets, including customer data, employee data, health records, and more. The question lingers: Can you be certain that your organization is immune to this emerging threat? The Rise of Unsanctioned Side Hustles The oversight of employee activities during office hours has dissipated in the remote work environment. As a result, employees are capitalizing on this newfound freedom to pursue side hustles while on the company clock. With their activities no longer under active supervision, instances of unsanctioned third-party work on corporate devices surged by a staggering 200% in 2022. The lines between corporate commitment and personal endeavors have blurred, making it crucial for corporations to reassess their risk exposure. The Cloud Conundrum Cloud-based systems have revolutionized data access, making it more convenient than ever. However, this convenience comes with a dark side. In 2022, unsanctioned application usage rose by a harrowing 55%. While employees revel in the convenience of cloud-based tools, their unsanctioned use poses a considerable risk to organizations. It's time to scrutinize this burgeoning issue. The Exodus and Data Theft Nexus Employee turnover during the first half of 2022 witnessed a startling 20% increase compared to pre-pandemic levels. Alarmingly, this exodus coincided with a 35% surge in data theft incidents caused by departing employees. This unsettling correlation underscores the grim reality that many employees are leaving their organizations with a parting gift that was never meant to be given. As the world of remote work continues to evolve, corporations must confront the pressing need for policy modifications and heightened vigilance regarding insider threats. These statistics from 2022 serve as a stark warning that the traditional office boundaries may be gone, but the insider threat is very much alive and thriving. Now more than ever, it is imperative that organizations take comprehensive steps to secure their data, protect their assets, and ensure that remote work doesn't translate into unseen vulnerabilities. Source of Stats: DTEX

In today's digital era, data privacy stands as an unwavering pillar of business operations. Corporations, increasingly reliant on third parties to manage sensitive data, find themselves at a crossroads where contract comprehension is not merely an option but an absolute necessity. Failure to engage deeply with these agreements leaves organizations exposed to the perils of non-compliance, reputational erosion, and financially crippling legal repercussions. Our experience in assisting clients often reveals the inadequacy of contract language when third-party engagements are concerned. Regrettably, we are often called upon only after the unfortunate consequences of a third-party data mishap come to light. In many instances, had there been a systematic review, comprehensive analysis, and diligent monitoring of third-party contracts, risks could have been effectively minimized or entirely averted. This blog post explores the urgency of scrutinizing contract clauses, especially those governing the management of personally identifiable or health-related data. The Peril of Ignorance Contracts binding third parties responsible for data management aren't mere formalities. They are complex legal pacts that establish the groundwork for rules and responsibilities governing data handling, privacy, and compliance. Failure to grasp the intricacies of these agreements can lay the foundation for catastrophic repercussions. According to recent research by the independent analyst firm Forrester, "Forrester data reveals that 55% of security professionals reported their organization experienced an incident or breach involving supply chain or third-party providers in the past 12 months." The landscape of third-party data breaches is becoming increasingly alarming, with significant incidents making headlines in 2023. For instance, AT&T, Chick-fil-A, and LinkedIn all fell victim to breaches involving third-party vendors. AT&T reported a breach affecting 9 million wireless accounts due to unauthorized access to a vendor's system. Chick-fil-A faced a credential stuffing attack compromising around 71,000 accounts, while LinkedIn experienced a massive data breach affecting over 700 million users. These incidents underscore the pressing need for organizations to fortify their cybersecurity defenses, especially when dealing with third-party vendors. Shockingly, a survey by the Ponemon Institute and Shared Assessments revealed that 62% of organizations do not actively monitor the cybersecurity and privacy practices of their third-party vendors. When assisting our clients, we often encounter an absence of adequate tools for standardizing contract language and ensuring alignment with evolving data privacy, handling, and retention laws and regulations. Legacy contracts, left unattended, only exacerbate the complexity of contract management. While grappling with existing contracts and navigating future ones to mitigate risks poses a significant challenge, it is a challenge that organizations cannot afford to overlook. Mastering Contract Clarity Understanding third-party contracts is not an endeavor confined solely to legal departments; it must be a paramount concern for all stakeholders within an organization. Contracts frequently incorporate clauses specifying data handling practices, security protocols, and compliance obligations. A comprehensive understanding of these terms empowers corporations to identify and proactively address potential risks. Legal and procurement professionals must rely on input from security, privacy, records, compliance, and other experts to ensure contracts contain the appropriate language in various domains. Mastery of contracts enables corporations to demonstrate due diligence in the event of a compliance breach, potentially mitigating legal liabilities. In an era dominated by stringent data protection laws, ignorance is no longer a permissible defense. Data breaches and privacy violations can inflict irreparable damage on a corporation's reputation. A thorough grasp of third-party contracts allows organizations to honor their commitment to data privacy, thereby preserving their brand integrity and the trust of their clientele. Gaining Control Over Third-Party Contracts Artificial Intelligence (AI) technology is revolutionizing contract management and risk mitigation by automating tasks, providing insights, enhancing compliance, and improving the overall efficiency and effectiveness of contract-related processes. This technology allows organizations to proactively manage risks, reduce errors, and make more informed decisions related to their contractual obligations. Embracing Accountability In the realm of data privacy, ignorance is risky, not a place of bliss. Corporations must acknowledge their ultimate responsibility for the data they collect and entrust to third parties. Neglecting the nuances of third-party contracts is a hazardous gamble that no organization can afford. Understanding contracts transcends the realm of legal obligation; it becomes a strategic imperative. It represents a proactive stance that demarcates the line between successful data management and catastrophic failure. By prioritizing contract comprehension and actively enforcing compliance, corporations can safeguard themselves, their customers, and their future prospects in an ever-more data-centric world.

As technology advances, the collection and storage of biometric data has become prevalent across various industries. Biometric data, which utilizes unique physical and behavioral attributes for identification, offers organizations many benefits. The definition of biometrics data may vary by jurisdiction. Given this reality, privacy and data management practices need careful consideration. Many information governance professionals believe their companies are not using biometric-related technology; therefore, most don't have governance rules over the data. At Kahn Consulting, when we engage with a client, we use a process called "business profiling" to understand the company's business activities, technology, and data. Often when we start exploring biometrics, the information governance professionals and lawyers immediately say that we can skip that line of investigation because the company doesn't use any biometric-related technology or data. However, when we start exploring potential uses (see below), they immediately lose their confidence in their initial response and appreciate why they need to do more homework to determine what the company may be doing with biometric data. Here are a few examples where biometric data is being used. Hopefully, the examples will trigger you to consider where your company might use biometric data and determine if your information governance policies, processes, and practice address the data. Biometric Banking: Banks use biometric authentication techniques like fingerprint or iris scans to improve account security and prevent fraudulent activity during transactions. Fargo and Barclays are among the banks that have adopted biometric banking features. Workforce Management: Companies use biometric time and attendance systems, such as fingerprint or palm scans, to accurately track employees' working hours and streamline HR processes. ADP's Time and Attendance solutions are one example of this technology. Payment Systems: Companies are using biometrics such as handprints to tie payment systems to a specific credit or debit card. Amazon is an example of a company using this technology in its brick-and-mortar stores. Facilities Management: Many companies have biometric-related entry systems into a building or specific high-risk areas of facilities such as data centers, research centers, etc. Facebook, Google, Apple, and Tesla are companies that have been using this for years. Timekeeping Systems: Organizations with hourly employees often use timekeeping systems requiring biometric identification to avoid fraudulent time-tracking activities. Walmart, Home Depot, FedEx, Ford, UPS, and Target are examples of companies using this technology. Biometrics in Healthcare: Hospitals and healthcare facilities use biometric identification to access medical records securely and prevent fraud. Companies like Imprivata, Cerner, and Epic provide biometric solutions for healthcare authentication. Biometrics at Airports: Airports employ biometric screening to expedite security checks and boarding processes. For instance, Heathrow Airport in London uses facial recognition technology for faster security clearance. Smartphone Security: Companies incorporate fingerprint, face, or iris recognition to unlock phones or apps, making it more convenient for users to access their devices securely. Examples include Apple's Face ID and Samsung's Ultrasonic Fingerprint Scanner. End User Identification: Behavioral biometrics track various user behaviors, such as typing speed, keystroke dynamics, mouse movements, touchscreen interactions, and even the angle at which a user holds their smartphone. The system can create a unique profile for each user by continuously monitoring and learning these behaviors over time. The Royal Bank of Scotland is an example of a financial institution using such technology to protect its customers. Entry to Event: Event management companies, professional teams' stadiums, concert halls, etc., are using facial authentication for faster entry into events. The Cleveland Browns are now using facial recognition to enter their stadium. Biometrics in Sports: Performance, fitness, and recovery of athletes are tracked and monitored using biometric data in sports analytics. This information helps coaches and athletes optimize training routines and improve overall performance. Many NFL, NBA, and MLB teams use this technology to improve performance and monitor the health of their players. Biometrics for Health Diagnosis: Biometric data is used to aid in medical diagnoses and treatment plans. For instance, retinal scans can help detect early signs of certain diseases, and voice analysis may help diagnose certain medical conditions. The Mayo Clinic is one of the healthcare organizations that is advancing the use of this technology. Border Security: Biometric passports or visas verify travelers' identities, enhancing security, and streamlining the immigration process. Many countries, like the US Customs and Border Protection's Biometric Exit program, have implemented biometric border control systems. National ID Systems: Countries have introduced biometric cards or databases to give citizens unique identities, improving government services and welfare distribution. For instance, India's Aadhaar program uses biometric data to identify and access various services. You get the point - Biometric data is everywhere. Governance professionals should err on the side of assuming that it is in use in their company somewhere, somehow, and they should do their homework to determine the facts. High-risk data must be identified and managed according to laws, regulations, and business needs. Data Management Challenges Security Breaches: Biometric data is valuable, which causes hackers and other cybercriminals to want to attack it. Businesses must have strong security measures to prevent unwanted access and data breaches. Data Storage and Retention: Securely storing biometric data is essential, and companies should only retain such data for as long as necessary. Prolonged retention may increase the risk of exposure and potential misuse. Consent and Transparency: Obtaining informed consent in accordance with the law from individuals before collecting and using their biometric data is critical. Transparency about the data collection and storage practices helps build trust with users. Legal Compliance: Biometric data collection is subject to various protection laws and regulations. Violating these standards may result in serious legal repercussions and harm a company's reputation. Ethical Concerns: Companies must grapple with ethical considerations when using biometric data. They should balance the benefits of using this technology and the potential risks to individual privacy and human rights. Mitigating Risks and Ensuring Responsible Biometric Data Management Encryption and Access Controls: Employ strong encryption methods and access controls to protect biometric data from unauthorized access. Anonymization and De-identification: Store biometric data anonymized or de-identified to reduce the risk of associating it with specific individuals. Regular Security Audits: Conduct frequent security audits and vulnerability assessments to identify and address potential data storage and protection weaknesses. Secure Data Sharing: Establish stringent data-sharing agreements with third-party providers and ensure they adhere to the same data protection standards. Data Minimization: Limit biometric data collection to the minimum required for the intended purpose and avoid excessive data retention. While using biometric data offers numerous benefits, it also presents significant privacy and data management challenges. Companies must prioritize the security and protection of biometric information, considering the irreversible nature of this data. Organizations can mitigate risks and ensure responsible biometric data management by implementing robust security measures, obtaining informed consent, and adhering to legal and ethical guidelines. Safeguarding user privacy should remain at the forefront as technology continues to shape our interactions with the digital world. #biometricdata #biometricdatasecurity #informationgovernance #infogov #informationretention #privacy #legal

At Kahn Consulting, we understand the critical importance of data as the universal love language of success and security. Our team of experts is committed to guiding your organization toward a future that harnesses the full potential of your data assets while ensuring robust protection against threats. Data has become the currency that fuels innovation and drives competitive advantage in today's digital landscape. Just as love language enables meaningful connections, data enables businesses to understand their customers, adapt to evolving market trends, and make informed decisions that propel growth. Embracing data as a love language empowers organizations to unlock the hidden potential within their data assets. Data, when harnessed effectively, acts as a catalyst for operational excellence. It holds the key to making organizations faster, better, and more cost-efficient. By leveraging advanced analytics, artificial intelligence, and machine learning, businesses can extract valuable insights from their data, optimize processes, enhance decision-making, and gain a competitive edge in their respective industries. In the rapidly evolving landscape of the digital age, it is no longer sufficient for organizations to treat data reactively, merely using it for audits, investigations, litigation, or covering their backs. The true power of data lies in its proactive utilization - predicting the future, improving business processes, understanding customers, and creating innovative products that drive growth. To harness the full potential of data, a cultural shift must occur, starting from the top of the organization and permeating down to every level. We all need to learn a new love language - Data! Leadership plays a crucial role in establishing a data-driven culture within an organization. When executives prioritize data as a strategic asset, it sets the tone for the entire company. By fostering a mindset that embraces data as a proactive tool for innovation and improvement, organizations can stay ahead of the curve and avoid being left behind. The journey towards a proactive data culture requires a comprehensive approach. It involves investing in advanced technologies such as predictive analytics, machine learning, and artificial intelligence to extract meaningful insights from data. Additionally, organizations need to empower employees with the necessary skills and knowledge to analyze and interpret data effectively. Training programs, data literacy initiatives, and cross-functional collaboration can bridge the gap and create a data-savvy workforce. Just as love needs protection, data requires robust security measures to safeguard against threats. With cyberattacks and data breaches on the rise, organizations must prioritize data protection to maintain trust, brand reputation, and customer loyalty. By implementing comprehensive security frameworks and protocols, businesses can fortify their data kingdom and shield themselves from potential disasters. Treating data reactively is no longer sufficient in today's competitive landscape. Organizations that understand the true power of data and embrace it as a proactive love language will be positioned for success. By fostering a data-driven culture, from top to bottom, organizations can unlock the transformative potential of data, gaining a competitive advantage and securing their future in the digital economy. #dataprotection #datacollection #datalovelanguage #digitaleconomy #cyberattacks #cybersecurity #informationgovernance #infogov #databreaches #privacy #compliance

A Lesson in eCommunications Technology Policies and Practices In the digital age, communication within businesses has shifted significantly. Companies now rely heavily on electronic communication technologies, such as chat platforms, to facilitate quick and efficient employee discussions. However, as demonstrated by the recent case of Google Play Store Antitrust Litigation, eCommunications technology comes with its own challenges. This blog post identifies lessons learned from Google's current situation as it relates to litigation and eCommunications technology. During the litigation process, the plaintiffs in the Google Play Store Antitrust case raised concerns about the absence of Google Chat messages in document production. In response, Google said that its chats were typically deleted after 24 hours and were not suspended even after this litigation began. Google let employees make their own personal choices about preserving chats. Although a Google information governance employee testified that Google Chat was typically used for quick, one-off conversations like an invitation to grab a coffee or for "sensitive," personal topics like birth announcements or promotions}, an abundance of evidence suggested that employees routinely discussed substantive business matters using this platform. Some of the chats were deemed relevant to the litigation at hand. As a result, the court found that Google's failure to preserve this electronically stored information (ESI) was unacceptable. The court ultimately granted the plaintiff's motion for e-discovery sanctions against Google. While Google was ordered to cover the plaintiff's legal fees, non-monetary sanctions were not imposed at that stage. The court ruled that the Google Chat evidence could not be restored by conducting more discovery as the messages had been deleted. Google did not take reasonable steps to ensure custodians complied with data preservation requests. Some employees failed to comply, leading to the deletion of potentially relevant data. This case serves as a cautionary tale for companies utilizing communication technology. It highlights the importance of establishing robust policies and procedures surrounding data preservation and retention. Some key lessons to be learned include: Auto-Delete Policies: Companies should carefully assess the impact of auto-delete policies on relevant ESI and consider suspending or modifying them when litigation becomes reasonably foreseeable. This means you need a proactive plan and process to suspend auto-delete functionality when necessary. Employee Preservation: If companies rely on employees to preserve information (which may no longer be advisable given today's technology), they must provide specific rules on how and where to preserve potentially responsive ESI. Employee Compliance: Businesses must educate employees on their responsibilities regarding data preservation and ensure they comply with legal holds and preservation requests. Proper Communication Tools: Companies should evaluate the suitability of their communication platforms for different types of conversations. Suppose substantive business discussions occur on a particular platform. In that case, steps must be taken to retain that data in compliance with laws and regulations and preserve that data appropriately when litigation, audit, or investigation happens. eDiscovery Preparedness: Proactive planning for eDiscovery is crucial. Companies should establish mechanisms to perform effective eDiscovery, even in the face of challenges like auto-delete policies. Google's failure to suspend its auto-delete policy and adequately address the use of its eCommunication technology led to sanctions in the Google Play Store Antitrust Litigation. This case underscores the importance of companies establishing clear policies, educating employees, and proactively preserving relevant data. By doing so, businesses can mitigate risks, uphold their legal obligations, and avoid the consequences associated with data loss during litigation. Read more in the order. #informationgovernance #infogov #legal #eCommunication #Google #eDiscovery

"The marketing team wants to use ChatGPT to generate marketing collateral. Yet, the law department worries about copyrighted content used to train the model forming the basis of an intellectual property lawsuit and inadvertently “giving” OpenAI the right to use certain protected content. Underwriting wants to let artificial intelligence (“AI”) tools “underwrite” insurance policies, but the compliance team worries about the computer application “learning” to discriminate. Business planning professionals wish to extend the life of relevant information, but European Union (“EU”) privacy lawyers say that will run afoul of the General Data Protection Regulation (“GDPR”). One person’s hot is another person’s cold. One person’s trash is another person’s treasure. You get the idea. And that idea has taken center stage in the world of corporate information. At a time when professionals across industries and fields who are using AI want as much information as possible to predict business trends, for example, information security risk mitigation militates in favor of retaining less information for shorter periods: “AI is heavily reliant on large quantities of data, and without proper controls, data can be corrupted.”[1] Furthermore, “[a]ddressing privacy concerns while leveraging large datasets is also a challenge.”[2] While business folks want to keep content in collaboration environments forever for future reference, privacy and security professionals push back on growing the information footprint because more information creates greater privacy risk and more data to protect"...continue reading. #informationgovernance #informationmanagement #infogov #information #privacy #privacybydesign #security

A recent article in Forbes highlights Jim Thompson and his mega-successful paper storage business. This is confounding when most information today is created and stored electronically, and most companies recognize the risks and costs associated with retaining physical assets such as paper documents and backup tapes. Digital vs. Paper Information Management When comparing digital and paper-based information management, the advantages of digital storage are apparent in most situations. They can include some of the following: Cost Efficiency: Physical storage costs can add up quickly, with an average cost of around $20 per document over its lifetime. In contrast, digital storage costs mere cents, resulting in significant cost savings for your organization. Accessibility: Digital assets provide instant access and efficient retrieval capabilities, saving valuable time and increasing overall productivity resulting in a 30% to 50% increase in productivity, as reported by McKinsey. Physical files, on the other hand, can be time-consuming and cumbersome to retrieve and manage. Security: Digital storage offers robust encryption, access controls, and backups, minimizing the risk of data breaches. Physical files are more susceptible to theft, loss, or damage. Cost During Litigation, Investigation, or Audit: The cost associated with finding, searching, recalling, transporting, copying, returning to storage, and managing physical files during legal proceedings, investigations, or audits can be substantial. Going digital significantly reduces these expenses. A study by AIIM found that organizations spend an average of $880 per day on managing physical records during legal proceedings, while going digital significantly reduces these expenses. Harnessing the Value: Information stored on paper content becomes challenging to leverage in tools like Artificial Intelligence, Machine Learning, data lakes, and data warehouses. Digitization opens up new possibilities for extracting valuable insights from your information assets. Privacy Risk: Managing personal data on paper and backup tapes over time can introduce significant privacy risks. Going digital minimizes these risks and ensures compliance with privacy regulations. Billionaire Jim Thompson: Parlaying Paper Storage into Profits In the Forbes success story of billionaire Jim Thompson (Moving Billionaire Jim Thompson Parlays Paper Storage Into Profits (forbes.com)), we witness how paper storage can become a lucrative business endeavor. Thompson recognized the increasing demand for offsite third-party storage and capitalized on it. While Thompson's achievements highlight the profitability of paper storage, it is crucial for organizations to assess their business and legal requirements and associated risks related to storing physical content like paper, removable media, and backup tapes. In today's electronic world, it's imperative to question why organizations continue to store large amounts of paper when nearly all content is created electronically, and the electronic version is readily available, cost-effective, and provides comparable legal validity. Assessing Third-Party Offsite Storage Practices Companies should initiate a project to assess onsite and third-party storage practices and set the direction for the future, including remediation efforts. On average, organizations can reduce their physical document storage needs by 30% to 40% through comprehensive assessment and disposal efforts, as reported by ARMA International. The assessment project should include the following: Comprehensive Assessment: Conduct a company-wide search to identify who is utilizing offsite storage, examining purchase orders, conducting surveys, and reviewing invoices to determine which vendors are being used for storage services. Content Classification: Determine which content is eligible for disposal, categorizing poorly indexed or indeterminate files and applying reasonable and defensible criteria to establish retention requirements. Access and Frequency Analysis: By reviewing recall records and consulting relevant departments, such as litigation, audit, investigation, and tax, determine the need for accessing specific content and its frequency. Duplicate Identification: Identify paper content that duplicates electronic files already stored in structured applications with easy access, allowing for efficient disposal. High-Risk Content Identification: Identify high-risk content containing personal information, trade secrets, or other sensitive data to ensure it receives appropriate protection and handling. Legal and Regulatory Compliance: We conduct thorough research to determine the true business, legal, and regulatory requirements related to paper storage, providing guidance on the acceptability of electronic versions. Remediation Plan: Develop a comprehensive remediation plan tailored to your organization. This plan may include digitizing frequently accessed documents, disposing of content that has met its retention requirements, and implementing efficient document management processes. Future Storage Policy and Practices: Develop robust policies and practices for all future storage needs. This ensures that content is stored appropriately, with expiration dates assigned and disposal processes in place. We can assist in reviewing contracts with offsite storage facilities to address costs that hinder disposal efforts. Case Study: Transforming Offsite Storage Kahn has teamed with many clients to reduce their paper footprint. A financial services client had over a million boxes and 200,000 backup tapes in storage. Our team executed a thorough assessment and identified significant opportunities for improvement using the steps outlined above. We applied defensible criteria to categorize and dispose of a significant portion of the stored boxes. By strategically evaluating the remaining inventory, including duplicates to electronic content and retention requirements, we reduced even more storage needs which resulted in millions of dollars in savings year over year. Similarly, we worked with the client to evaluate and dispose of unnecessary backup tapes, resulting in significant annual savings. To ensure the client didn’t find themselves in the same situation down the road, we developed policies and processes to ensure that only approved content was moved to offsite storage. Conclusion: Embrace a Secure and Efficient Future While paper storage may have its historical merits, the advantages of going digital are undeniable. By assessing current practices and setting direction for the future, companies can optimize their offsite storage practices, transition towards a more agile and secure future, and unlock the full potential of their information assets.

In today's rapidly evolving technological landscape, companies generate large volumes of data from various sources, including artificial intelligence, the Internet of Things (IoT), and pixel tags. While this data is critical to business operations, it also presents new challenges in information management and can become a liability. Companies must understand their information footprint and determine when information should be deleted to reduce risk and liability. Information's value decreases over time, and over-retaining it can have significant consequences ranging from damaging a company's reputation to privacy fines. Retention policies and schedules must include today's newly generated information to avoid legal and regulatory issues, cost, and litigation challenges. This blog will focus on how a company should consider updating its retention schedule. Traditionally, updating a retention schedule involved researching relevant laws and regulations to identify any changes in retention obligations. However, this approach is no longer sufficient with the proliferation of new data, technology, and business activities. Instead, companies must operationalize the retention schedule update process, starting with building a business profile that outlines, at minimum, the company's activities and where they conduct those business activities. A business profile defines what a company does and where they do it. It seems simple, but information knows no borders today, which makes it very complicated. A business profile is necessary to reduce the risk of forgetting information that needs a predictable end-of-life established, especially if it contains sensitive data. Newly generated data is growing and moving fast. Data no longer sits ideally in one environment; it is transmitted, shared, sold, etc., at the speed of light. It should be assumed that routinely a new type of data is being generated, used, received, sold, shared, etc., in the company. Build a Business Profile So how do you build a business profile? Collect knowledge about the company's business activities. The graphic below shows various avenues that can be used to collect data about what the company does and where it does it. The traditional approach of "inventorying" information assets through department representatives is not exhaustive enough in today's complex information landscape, and it can leave high-risk data ungoverned. Before digging in, create a document, spreadsheet, or database that tracks what is being identified as business activities, what information it may utilize, and what jurisdictions are applicable. As you identify ways to explore your company's business activities, develop a process that can be operationalized. This will be discussed in more detail later in the blog. Keep it simple; don't over-engineer the process or tool to track business activities and jurisdiction. If you make it too complicated, operationalizing will be a bear. Dig, Dig, Dig As the graphic shows, there is no simple way to determine a company's business activities without doing some work. The retention program must lead the efforts to dig in through various avenues. Today, companies and information have no borders that keep them contained. It is impossible to understand what laws and regulations apply if you can't identify the business activity and where the company does it. Let's discuss some of the diggings that can be done to build the business profile. Organization Charts & Business Activities Organization charts are a great way to identify business activities. They help ensure that areas of the company are not forgotten. Start at the organization's top and work down and across to identify business units, departments, horizontal functions, and roles that may utilize information. For each of these, take a pass at identifying what business activities are performed. This can be done through interviews, surveys, or workshops, reviewing shared drive taxonomy and labeling, reviewing ECM taxonomies, reviewing processes, SOPs, and procedures for the area, etc. Using the organization chart will help identify "hidden" activities or often overlooked activities. For example, the innovation department or equivalent is typically in the R & D business unit and often overlooked because they are considered a "playground" and not a department that generates information that has a long-term business or legal value. Today that is an incorrect assumption. The innovation department uses newer technology like Artificial Intelligence (AI) to predict the future better. The data used by AI technology can be bought, shared, analyzed, and sold – all these business activities involve information, and the company is responsible for managing this data, especially if it has sensitive health or private data. Dig deep and wide, as some activities are so small, have high liability information under control, and employees may forget about identifying them. Be sure to look for outsourced business activities that the department manages. Outsourcing a business activity component is very common, where certain activities require specific expertise. However, even though it is done by someone other than one of the company's employees, the company still has management responsibility for the data. Identify it and vet the details of ownership later. Strategies Conduct research to understand the company’s strategies and objectives in recent years and what they are currently. This knowledge will help unearth potential new activities, technologies, and practices. For example, a strategy to reduce manpower on the manufacturing floor may aim to implement automated quality review cameras. These cameras will generate a new type of quality data that a human reviewer didn’t generate (i.e., images, training/data models, etc.). Publicly Available Information Read, read, and read more about the company. Press releases, annual reports, the web, regulatory filings, etc., provide knowledge about your company’s activities. For example, press releases are usually issued when new products or services are introduced, and the company is divesting a portion of the business or acquiring another business. For example, Microsoft’s acquisition of Activision Blizzard expanded their business activities into the gaming industry, and Oracle’s acquisition of Cerner created a healthcare line of business for them. New lines of business are not always so large and prominent, such as adding transmitted data to an existing product (i.e., stove, microwave). Each new business activity, product or product enhancement, improved customer service, improved quality, reduced cost, etc., warrants investigating what further data is being utilized. Word of caution: Confirm and validate if the company doesn’t publish the data. Contracts Contracts are a good source to identify information that the company utilizes, sells, shares, etc. Contracts can identify system acquisitions and licenses, new technologies, new storage locations, relationships that have a data component, product components that may store or transmit data, business processes that have been outsourced, data ownership clarity, etc. Contracts are often overlooked when companies build or update retention schedules. This kind of review continually exposes some high-liability information that needs to be addressed in policy. Current Policies Learn from existing policies and procedures across the organization. IT or the product business units are usually good sources to start with. Look at what they are governing as it relates to information and technology. For example, IT usually has a policy or SOP about drones on-premises, and the product department may have a procurement policy for drones used in relation to customer activities. IT usually has an asset inventory that includes systems, applications, cloud solutions, technology such as IoT devices, and pixel tags. Work backward from the list. Identify what business activities the application automates and what departments use the application. Additionally, business units most often have policies or procedures related to specific business activities that are a wealth of knowledge about what the business unit does daily. For example, you’re a payroll processing company with a customer service helpline. The customer service department will have a manual for all representatives, and in the manual, there might be a process outlining how to return a time clock for warranty repair. Who knew there was a small repair department sitting in the corner of the basement generating information and potentially handling private information stored on the returned time clock? Entry Points Explore the various ways technology and information can sneak into your company’s ecosystem. Entry points into an organization are not as clear as one might like. Below are points of entry to consider when building your business profile. For each point of entry, there is more than likely a formal process or “off the books” process that needs to be examined to determine what is funneling through it, what inventories or artifacts exist that would explain technology or data that came into the ecosystem through that route. And, ultimately getting a link to the process for feature knowledge. Traditional Procurement/Purchasing Process: Business units use the traditional procurement process in the company to source technology. Business Process Outsourcing: Business units outsource business activities to a third party and with the contract comes technology that the supplier uses to support the business activities. Third Parties, Contractors, Third Party Administrators: Business units engage with businesses that provide administrative services on behalf of another company. Often the services require technology to support the data that is generated by the business process. Android and iOS Apps: It is common for company’s to develop Android and iOS apps to create stickiness with their clients. These apps collect data, often sensitive data like geolocation, behaviors, etc. IoT Devices: IoT devices come in all sizes and shapes and are used for many purposes. They can be used for internal activities such as monitoring inventory on racking systems or in products to monitor customer behavior. They can be hidden in products (i.e., trash cans that send an “I’m almost full” signal to waste management). Artificial Intelligence, Machine Learning, etc.: AI, ML, and similar technologies allow organizations to be creative. Identifying where this technology is used and how it gets into the company can be challenging because it usually operates under another activity. Acquisition or Sharing of Information: Businesses are always looking for data to acquire or share to advance their market position or reduce operating costs. Acquiring and sharing data can be buried deep in a contract, agreement, or standard operating procedure. Shadow IT / BYOD: Employees can often use their devices and software to do their work more efficiently. Virtual workplaces have added to using personal devices to conduct company business. Open-source software: Companies can use open-source software for free, without going through the purchasing department. Cloud services: Many cloud services offer free or low-cost versions that can be used by individuals or small teams. Crowdfunding: If a company wants to develop a new product, they can use crowdfunding platforms like Kickstarter or Indiegogo to raise funds from the public. Hackathons (internal and external): Companies can host hackathons or innovation challenges to encourage employees and third parties to develop new technologies and products. Gamification: Companies can use gamification to engage employees and encourage them to adopt new technologies or work processes. Open innovation: Companies can use open innovation techniques to collaborate with external partners, such as customers or suppliers, to develop new technologies and products. Data Transmissions: Data transmission is another activity that is often overlooked in the contracting and procurement process. Many products and internal process improvement solutions are transmitting data today. Laws and Regulations This will vary by industry and business activity, but some initial homework and research can find critical laws and regulations that can be reviewed to determine what they are governing. This can be thought of as working backward to determine what information a company generates. For example, the insurance industry has model laws published by NAIC that state regulators can adopt. Explore the model laws to learn what business activities and associated information they recommend must be managed. Validate the Business Profile Once a draft of the business profile is complete, it should be socialized with critical stakeholders to ensure its accuracy. This may include senior leaders from each business unit, including IT, legal, compliance, and governance professionals. Operationalize The Business Profile Toward the beginning of the blog, developing a process that could be operationalized as you found a viable avenue to explore was recommended. For example, if researching the company’s annual report was valuable in determining new lines of business or new technology implemented, then have a process to know when the annual report is released each year and implement a review period immediately following. If reading contracts exposed data entering the company’s information ecosystem, work with procurement and legal to determine how you get into the review process or, at minimum, access to review contracts once they are sourced. If reviewing the IT project or information asset list provides knowledge of new systems or technology entering through IT, then work with IT to get a notification when these are moving through the approval process. Updating the business profile and schedule will become organic and not be a huge task every few years. It will also ensure newly generated data has end-of-life determined when it enters the company or shortly after that. Business Profile Complete, Now What? The business profile can be used for various purposes. Still, as it relates to the topic of this blog, updating the retention schedule, the business profile should be used to guide the organization through an inventory process to identify information assets, determine if the information is a record or non-record, storage location, security classification, etc. and confirm jurisdictions. Each business activity identified when developing the business profile should have an information asset or many assets placed during the inventory process. If it does not, then further exploration needs to occur to understand why the business process uses no information. That seems highly unlikely, given today’s world. After all, information is identified, the existing retention schedule can be updated or created if the company doesn’t have one or wants to use a more modern style schedule. The business profile can be shared with other information governance initiatives like privacy and security to ensure those programs have addressed all information assets. Food for Thought Many companies have advanced the purposes of a retention schedule. They are using the schedule as an “information asset inventory” that holds other information governance knowledge such as privacy (i.e., Personally Identifiable Information: Social Security Number, PCI: credit card number, Health Information: Diagnosis), security (Trade Secret, IP, Confidential), and storage location (i.e., SAP, SharePoint, Datawarehouse). Conclusion In conclusion, updating a company's retention schedule is essential in today's rapidly evolving technological landscape. Companies must start by understanding their business before understanding their information assets. By doing so, companies can be more confident that they have a predictable end of life for the information they are responsible for managing and protecting.

Wireless-Value Realization is a term coined by Gartner that refers to the utilization of wireless technologies, capabilities, and protocols to generate direct business value. It's not just about communication anymore; it's about leveraging wireless ecosystems to enhance analytical capabilities, improve reliability and scalability, and optimize costs. Gartner predicts that by 2025, 50% of enterprise wireless endpoints will use networking services that deliver additional capabilities beyond communication, up from less than 15% currently. As wireless technologies continue to advance and become more ubiquitous, organizations need to be prepared to proactively address the potential challenges that may arise with the widespread adoption of Wireless-Value Realization. Many companies have been caught off guard by the rapid deployment and use of AI technology in recent years, and it's important not to make the same mistake with wireless technologies. Organizations need to ensure that their information management, privacy, and security policies are ready to handle the potential risks and implications associated with the increased use of wireless technologies for business purposes. One of the key areas of concern when it comes to Wireless-Value Realization is privacy. With wireless technologies, data is transmitted over the airwaves, which can potentially be intercepted or accessed by unauthorized parties. Organizations need to have robust privacy policies in place to protect the sensitive information that may be transmitted through wireless networks. This includes ensuring that data is encrypted during transmission and storage and that proper access controls are in place to prevent unauthorized access to sensitive information. Security is another critical aspect to consider. As more devices and endpoints become connected through wireless technologies, the attack surface for potential cyber threats increases. Organizations need to implement strong security measures, such as firewalls, intrusion detection and prevention systems, and regular security audits, to protect against potential security breaches. Additionally, organizations should have incident response plans in place to effectively respond to security incidents and mitigate any potential damage. Another consideration for organizations is how to effectively manage the vast amount of data that may be generated through Wireless-Value Realization. Wireless technologies can enable the collection of large amounts of data from various sources, such as sensors, wearables, and IoT devices. Organizations need to have robust information management policies in place to effectively collect, store, analyze, and utilize this data in a secure and compliant manner. This may include data governance policies, data retention policies, and data lifecycle management practices. Organizations also need to be mindful of the potential ethical implications associated with the use of wireless technologies. For example, the use of wireless technologies for location tracking or monitoring employee activities may raise privacy and ethical concerns. Organizations need to establish clear guidelines and policies on the ethical use of wireless technologies to ensure that they are being used in a responsible and ethical manner. Wireless-Value Realization offers organizations significant opportunities for business value. However, it also comes with potential risks and challenges that need to be addressed proactively. Organizations need to ensure that their information management, privacy, and security policies are ready to handle the implications of the increased use of wireless technologies. This includes implementing strong security measures, complying with relevant data privacy regulations, effectively managing data, and addressing ethical concerns. By being prepared and proactive, organizations can harness the power of wireless technologies for business success while mitigating potential risks.