Search Results

Keeping past customer data “just in case” is no longer a neutral business choice—it’s increasingly treated as a security and compliance amplifier when things go wrong. France’s CNIL announcement on January 13, 2026, proves it: €27 million against FREE MOBILE and €15 million against FREE, totaling €42 million, tied to a 2024 breach exposing data from 24 million subscriber contracts (including IBANs). ​ The Findings CNIL’s own sanction decision is unambiguous about the retention failure specific to Free Mobile: the company “had not implemented measures to sort the data of former subscribers in order to retain only those necessary for accounting purposes and then delete them when their retention was no longer necessary.” ​ The regulator called out: No filtering/sorting mechanisms to distinguish data still needed (e.g., accounting) from data that should be deleted. Millions of data points retained for excessive periods without justification. No operational deletion process at the end of retention periods. Free Mobile’s remediation during the investigation—starting to sort data for 10-year accounting retention and deleting excess—came too late to avoid the fine. ​ Why Retention Schedules aren’t Optional Anymore This wasn’t a one-off. A retention schedule is now the only practical tool to operationalize GDPR Article 5(1)(e) “storage limitation” across complex environments. It translates messy reality—laws + business needs—into executable “keep until X, then delete”  rules that IT systems can enforce. The old myth of retention schedules as minimum periods  (“keep everything at 7 years”) is dead. Modern schedules dictate maximum retention: data lives only as long as justified, then gets purged. When that fails, as with Free Mobile, regulators see “policies without teeth.” The Real Complexity: Business vs. Compliance Retention fights aren’t technical—they’re human. Legitimate business units clash over data lifespan: Billing/Finance:  Need 10 years for audits, disputes, and revenue recognition. Customer Service:  Keep account history for warranty claims and complaints . Marketing: Historical trends, segmentation, churn prediction . AI/ML: Training datasets, evaluation baselines, model provenance. Without a schedule forcing these stakeholders to agree on purpose + duration, organizations default to indefinite. Free Mobile’s former-subscriber data sat around for years because no one defined when it stops being useful. ​ Every Extra Year is a Bet You’re Losing CNIL’s logic is brutally clear: Blast radius grows —24M contracts exposed, not just active ones. Legacy systems weaken —old data hides in forgotten corners. Regulators smell blood —storage limitation becomes proof of systemic failure . ​ Your Action: Build the Retention Schedule Now Map data by business purpose  (billing? marketing? AI?). Set maximum retention  (not minimum—when does it expire?). Operationalize deletion  (auto-purge, audit trails, exceptions logged). Get business sign-off on the retention rules  (finance, marketing, legal, AI teams agree). Test it works  (quarterly validation: Did X data get deleted on schedule?). Free Mobile shows what happens when you don’t manage information in accordance with pre-established retention rules and policies: €42M, plus a regulator-mandated cleanup under court supervision . ​ Primary source:  CNIL official announcement: https://www.cnil.fr/en/sanction-free-2026cnil ​

The New York Department of Financial Services (NYDFS) has made it clear through both regulation and enforcement that organizations cannot manage, secure, or certify what they cannot see. Asset inventories and documented retention practices are no longer administrative exercises — they are foundational components of cybersecurity governance, executive accountability, and regulatory trust. Recent NYDFS consent orders demonstrate that these expectations are not theoretical. Most recently, in October 2025, eight auto insurance companies agreed to pay more than USD 19 million in aggregate penalties for violations of the NYDFS Cybersecurity Regulation (23 NYCRR Part 500), reflecting deficiencies in cybersecurity programs and controls protecting nonpublic information. NYDFS is evaluating how governance frameworks operate in practice, not just how they are documented. Executives should assume that NYDFS examiners will not simply ask whether policies exist — they will ask how those policies are implemented, enforced, and evidenced. Can you produce a current, complete asset inventory? Organizations should expect NYDFS examiners to request a documented inventory of information systems and data repositories, including on-premises environments, cloud services, third-party platforms, and business-managed applications. Inventories should clearly identify system ownership, data classifications, and lifecycle attributes. NYDFS enforcement activity has repeatedly highlighted situations where systems containing nonpublic information were excluded from formal inventories and, as a result, fell outside established security monitoring, risk assessment, and disposal controls. An incomplete inventory is not a documentation issue — it is a governance failure. How do you enforce your retention schedule across systems? NYDFS expects organizations to demonstrate that retention schedules are operationally enforced, not merely written. This includes showing how systems and repositories are mapped to retention categories and how exceptions — such as legal holds or regulatory retention requirements — are managed. Across enforcement matters, NYDFS has treated reliance on “paper policies” without technical or procedural enforcement as a control weakness, particularly where over-retention expanded the exposure of nonpublic information during cybersecurity incidents. How do you verify secure disposal occurs in accordance with retention requirements? Examiners may request evidence of deletion and disposal processes, including validation controls and audit trails confirming that nonpublic information is disposed of when it is no longer required to be retained. NYDFS scrutiny increasingly focuses on whether secure disposal practices are tested, logged, and periodically reviewed, rather than assumed — especially in environments such as email, cloud storage, and legacy systems where data can quietly accumulate over time. Why this Matters NYDFS enforcement activity reflects a clear and consistent theme: effective cybersecurity compliance depends on visibility, governance, and execution. Asset inventories, retention schedules, and secure disposal practices are no longer peripheral compliance tools — they are central to how regulators assess risk management maturity and executive accountability. For financial organizations doing business in New York, the message is straightforward: If you cannot clearly identify what information you have, where it resides, how long it is retained, and how it is securely disposed of, NYDFS will view that as a material control gap — regardless of how polished your policies may appear. #informationgovernance #infogov #recordsretention #cybersecurity #risk

Why Leaders Must Act Now to Strengthen Their Information Governance Foundations For years, organizations have watched unstructured information grow quietly in the background—emails piling up, Teams chats exploding, shared drives multiplying, and documents scattered across cloud platforms. Everyone knew it was messy. Everyone assumed they’d clean it up “one day.” That day has now arrived. 2026 is shaping up to be the year poor information management stops being an operational inconvenience—and becomes a measurable enterprise liability. Across every sector, analysts, auditors, and advisors are telling executives the same thing: If your organization doesn’t get control of its information ecosystem in 2026, costs, inefficiencies, and transformation failures will accelerate. This blog breaks down the risk, the data, and what leaders must do now to stay ahead. The Hard Truth: Most Information Is Already Out of Control 80–90% of enterprise content is unstructured   (Gartner, IDC, AIIM) And it’s growing 20–40% annually, exploding across: Teams SharePoint OneDrive Email File shares Mobile apps Departmental systems Vendor platforms This sprawl creates blind spots that no tool alone can fix. ROT Is Consuming Storage Budgets and Lowering Trust 40–60% of enterprise content is ROT   (Iron Mountain, Cleardata, AIIM) Redundant. Outdated. Trivial. And it’s costing organizations millions. AIIM reports that up to 35% of total storage spend is pure waste caused by unnecessary content. This is no longer a cleanup project. It’s a financial drain that hits budgets, system performance, and user trust. Employees Can’t Find What They Need — and It’s Crippling Productivity 60% of workers say they cannot find the information they need to do their job (McKinsey, SearchUnify) Employees now spend 22–28% of their workweek searching for the right version, the right folder, or the right system. This is not a soft issue.  This is a hard productivity loss and a driver of burnout, turnover, and stalled execution. Retention & Disposition Are Still Broken in Most Companies Despite years of policies, training, and tool investments: 72% of organizations admit they do not consistently apply retention or disposition rules (AIIM) Content piles up. Risk piles up. Costs pile up. Regulators, auditors, and legal teams are beginning to ask tougher questions—questions that require evidence of governance, not intentions. AI Projects Are Failing Because the Information Foundation Is Cracked 57% of AI initiatives fail due to poor information quality (IBM, Deloitte) Not cyber. Not privacy. Not even the model. Just bad, outdated, inconsistent, or duplicated information feeding the system. Broken content = broken insights. ROT in → ROT out. Organizations cannot modernize with yesterday’s information habits. 2026–2027: The Forecast Leaders Must Pay Attention To Analysts predict a widening gap between companies that address IG now and those that push it off. ➤ 2024–2025: The Breaking Point 60% of companies say they can’t keep up with unstructured data growth (IDC ) 72% admit they lack consistent retention and disposition (AIIM ) Companies retain 30–50% more ROT than in 2023 (Iron Mountain ) ➤ 2026: The Year the Shift Becomes Unavoidable 60% of companies will have an IG maturity gap creating measurable operational inefficiencies (Gartner) Executives will spend 30% more time managing information-related escalations than in 2024 (Forrester) Unstructured content will surpass 93 zettabytes globally (IDC) ➤ 2027: The Divide Between Leaders and Laggards Strong IG programs see a 35% increase in AI project success rates (Deloitte ) Mature IG organizations reduce redundant storage by up to 60% (Gartner) 70% of transformation failures will be tied to poor information quality—not technology (McKinsey) What This Means for Executives in 2026 Information governance is no longer a back-office function.  It impacts: operational efficiency decision accuracy employee performance compliance confidence customer responsiveness technology ROI AI capabilities organizational agility Leaders who treat information as an asset—rather than a byproduct—will outperform. But the reality is that most organizations do not have the internal bandwidth or cross-functional expertise to fix this alone.  That’s why we’re seeing accelerated demand for: fractional IG leadership targeted IG modernization projects unstructured data cleanup metadata and classification improvements pragmatic retention/disposition models AI readiness assessments cross-functional governance alignment This is not a luxury. It’s becoming standard. 2026 Is the Year to Act The true risk isn’t the volume of information.  It’s continuing to operate with broken habits, outdated structures, and unmanaged content.  In 2026, the winners won’t be the organizations with the most data— but the ones who manage information with clarity, discipline, and purpose. #infogov #informationgovernance #informationrisk

For years, governance professionals like myself have been preaching a simple truth: technology is no longer just an operational tool — it’s a governance issue. We saw it happen with cybersecurity. Then data privacy. Now, artificial intelligence is stepping onto the same stage — and this time, it’s entering through the front door of corporate accountability: the DEF 14A proxy statement. Traditionally, proxy filings were about electing directors, approving compensation, and checking the usual ESG and risk management boxes. But in the last 18 months, something significant has shifted. Companies are beginning to explicitly disclose how their boards oversee AI — and that changes everything. Why This Matters: AI Just Became a Board-Level Responsibility When AI appears in a proxy statement — a regulated document sent to shareholders — it signals that AI is no longer just an innovation initiative. It’s a governance obligation. Across sectors, we’re now seeing language such as: “The Audit and Technology Committee oversees key risks related to artificial intelligence, automation, and data governance.” Or: “Our Responsible AI Framework is aligned with NIST and ISO standards and is subject to regular board review.” This isn’t fluff. This is the early formation of AI risk governance models, right in plain view of regulators, shareholders, and stakeholders. The Pattern Is Clear: AI Governance Is Following the Same Maturity Path as Cybersecurity Stage Cybersecurity (2015–2018) AI Governance (2023–2025) Awareness Cyber was mentioned vaguely as “IT risk.” AI is referenced as “innovation and efficiency risk.” Assignment of Oversight Boards assign cyber to Audit/Risk Committees. AI oversight now appears in Tech, Audit, or "Innovation Committees." Early Frameworks NIST Cyber Framework emerges. NIST AI RMF & ISO 42001 become reference points. Disclosure Expectations Cyber risk became mandatory in SEC reporting. AI risk disclosures are next — the writing is already on the wall.   The governance cycle is predictable — but AI raises new and unique challenges that boards cannot treat as a checkbox exercise.   The Governance Questions Boards Must Now Answer Who is accountable for AI oversight? Audit? Risk? Technology? A new AI Committee? What frameworks are we using? NIST AI Risk Management Framework? ISO 42001? Internal ethics guidelines? Do we have visibility into all  AI activity across the enterprise? Because what’s more dangerous than AI? Shadow AI (unauthorized AI) How are we balancing innovation with compliance? AI is both a growth driver and  a regulatory landmine. Governance must enable both. My Message to Fellow Governance Leaders: Lean In — or Get Left Behind AI governance isn’t just about risk mitigation. It’s about strategic value protection and value creation.  Boards that take AI seriously — that don't just disclose oversight but demonstrate discipline  — will attract investment, retain customer trust, and accelerate responsible innovation. For those of us in information governance, records management, privacy, or risk roles, this is our moment. We’ve spent years building the foundation: controls, policies, metadata, lifecycle management, and audit defensibility. Now AI has made all of that mission-critical. Final Thought Proxy statements are more than compliance filings — they’re signals of what corporate America takes seriously. And the message is now unmistakable: AI is officially a governance issue. Let’s make sure we — the stewards of responsible information — are the ones helping boards define how to govern it.

AI / MACHINE LEARNED FOR INFORMATION MANAGEMENT There are several benefits to using machine learning and artificial intelligence for records management, policy compliance, personal information identification, and eDiscovery on unstructured content. Companies have tried using this technology for over a decade and often get frustrated in the setup and implementation process and end up abandoning the technology. Technology has significantly advanced in the last few years and should be reconsidered. This blog will remind you why this technology can add value to your organization.  1.    Compliance with policies: Machine Learning and AI technology can help organizations comply with records management policies, data privacy regulations, and other legal requirements by automatically classifying records, identifying personal information, and flagging potential compliance issues. 2.    Increased efficiency: Machine learning and AI can automate many time-consuming tasks associated with records management, such as identifying and classifying records and automating the disposition of records in accordance with policy. This can result in faster and more efficient processes and reduced employee manual labor. 3.    Identify Risk:  Machine Learning and AI technology can analyze large volumes of unstructured content to find risks associated with personally identifiable information, trade secrets, intellectual property, etc. 4.    Improved accuracy: ML/AI systems can process large amounts of data quickly and often more accurately than humans. This can result in higher accuracy in classifying records, finding personal information, and identifying relevant information for eDiscovery. 5.    Cost savings: By automating many of the manual tasks associated with records management, privacy management, policy management, and eDiscovery, organizations can save time and resources, leading to cost savings. It can also reduce storage footprint and associated costs by reducing data that has met its useful life. 6.    Better decision-making: ML and AI can provide organizations with insights and analytics to help them make informed decisions about their records management processes and overall compliance posture. Machine Learning and AI can provide significant benefits for helping organizations reduce the burden associated with complying with laws and regulations and removing some of the burdens from employees. Even though technology has advanced significantly, organizations still need knowledgeable professionals to set up, implement, and oversee these technologies to ensure that they are used in a manner that is consistent with organizational policies and legal requirements. Kahn Consulting has been working with technologies for over a decade and has developed a methodology to help organizations get the technology humming along. If you are interested in a small pilot to demonstrate the advances in the technology and get some accurate data on some demographics (outdated date, age of data, last accessed, Personal Identifiable Information (PII), etc.) of your unstructured data, please give us a call at (989) 763 – 6611.

In the age of Artificial Intelligence, the pace of innovation is thrilling—but also fraught with risk. From ChatGPT drafting emails to algorithms shaping business decisions, AI is reshaping how we operate, communicate, and compete. But here's the hard truth: Without clear, understandable, actionable, accessible, and enforceable policies, AI becomes a wild stallion with no reins. At Kahn Consulting Inc., we believe that good governance doesn't slow innovation—it powers it safely and responsibly. In fact, governance is the essential enabler of innovation. Why Policies Matter More Than Ever Policies are often misunderstood. People see them as red tape. But smart organizations know better. A well-crafted policy is a beacon—it clarifies what’s allowed, what’s off-limits, and what’s expected. Especially when it comes to AI, policy is the guardrail that protects your organization from unnecessary risk, reputational damage, regulatory backlash, and operational chaos. Let’s be real: AI is not just another tool. It learns. It adapts. It makes decisions. That’s why governing its use isn’t optional—it’s essential. Governing AI: Clarity is Key A powerful policy isn’t a legal thicket of jargon—it’s a clear, simple, human-readable guide for behavior. Employees shouldn’t need a law degree to understand how to use AI responsibly. They need a one-pager that makes them say, "Ah, now I get it." That’s why our approach to AI governance emphasizes clarity, simplicity, and accessibility . Because when everyone understands the rules, compliance isn’t a burden—it becomes part of the culture. The AI Policy That Puts People First We’ve outlined a clear set of AI principles to help organizations not just survive but thrive  in the era of intelligent machines. Here’s what matters most: Human Oversight  – AI can do the heavy lifting, but humans must own the final decision. No Sole Reliance  – Business-critical or legally impactful decisions can’t rest solely on AI-generated outputs. Avoid Public AI Tools for Sensitive Work  – Confidential data belongs in secure, vetted systems—not public AI tools or chatbots. Use Only Approved AI Tools – Provide employees with great tools so they’re not tempted to “go rogue.” Report Incidents Promptly – If something looks off, say something—AI is only as safe as the vigilance around it. Remember, AI “hallucinates” from time to time, without simple explanation, so be prepared. Respect IP and Privacy  – Using another party’s intellectual property or copyrighted or personal data into AI without legal right is a fast track to trouble. Label AI Content  – Transparency isn’t just ethical—it’s essential. Ban Unethical Use  – Not all innovation is good innovation. Draw clear lines. Train Your People  – Empower employees about AI literacy. A little education goes a long way. Follow the Law  – Align your internal policy with all relevant laws and the rules of AI providers. We don’t just build policies to check a box. We help organizations build culture . Because, when your employees understand the why—and not just the what—they become your first line of defense and your strongest asset. The Future Belongs to the Governed At Kahn Consulting, we’ve been at the forefront of Information Governance for decades. We’ve helped companies navigate shifting regulations, rising data volumes, and now, the dawn of Artificial Intelligence. The organizations that will win in this AI-driven future are those that take governance seriously—those that invest in clarity, empower their people, and recognize that policy isn’t paperwork— it’s leadership . So ask yourself: Is your AI use governed—or just guessed? Don’t leave it to chance. Govern it—clearly, simply, and smartly. Need help designing an AI policy that employees understand and trust? Kahn Consulting can help. We bring decades of experience in governance, compliance, and information strategy to make sure your innovation is not only cutting-edge—but also safe, smart, and sustainable.

information Explosion We are living in an era of unprecedented information explosion. Data is created at an astonishing rate, with organizations generating, collecting, and storing more information than ever before. But not all information holds lasting value. Much of it has a fleeting purpose—serving its role for a limited time before becoming digital clutter. The sheer volume of data is creating excessive noise in organizations, making it difficult to identify valuable insights and critical information. To reduce this noise, organizations must implement a predictable end-of-life for information and leverage automation to help manage it effectively. Without a disciplined approach to information lifecycle management, companies risk drowning in obsolete data, leading to increased costs, compliance risks, and missed opportunities. The reality is that not managing the lifecycle of information has serious consequences. Unstructured, outdated, and redundant data—often referred to as ROT (Redundant, Obsolete, Trivial)—hinders operational efficiency, complicates audits and legal inquiries, erodes customer trust, and limits the ability to harness AI-driven insights. A predictable end-of-life for information is the key to ensuring data remains an asset rather than a liability. Building Customer Trust Through Responsible Information Management In a world where data privacy concerns are at an all-time high, customers expect companies to be responsible stewards of their information. Organizations that fail to properly govern their data—whether through unnecessary retention or lax security measures—risk damaging their reputation and eroding trust. Data breaches often result from over-retained, poorly managed data. By implementing a well-defined information lifecycle, companies can mitigate the risk of retaining sensitive customer data beyond its necessary lifespan, ensuring compliance with privacy regulations like GDPR and CCPA. Proactively disposing of outdated information not only enhances security but also reassures customers that their personal data is handled responsibly. Reducing Storage Costs and Optimizing Resources Storing excessive amounts of information isn't just a governance issue—it’s a financial burden. Cloud and on-premise storage costs continue to rise, with companies often paying to retain data long after its useful life. Implementing a defensible retention and disposition policy ensures that organizations only keep what’s necessary, optimizing storage infrastructure and reducing unnecessary expenditures. By eliminating outdated and irrelevant data, businesses can also improve system performance, enhance searchability, and streamline access to valuable information. Responding to Audits, Investigations, and Litigation with Confidence Regulated industries and enterprises face ongoing challenges when it comes to compliance, audits, and legal inquiries. When information is not systematically managed, responding to requests for data can become a costly and time-consuming ordeal. Retention policies that enforce a predictable end-of-life for records ensure that organizations retain only the information they need—and dispose of what they don’t. This defensible approach reduces legal exposure, facilitates rapid responses to eDiscovery requests, and minimizes the risks associated with over-retention, such as inadvertent exposure of outdated or privileged information. Ensuring Privacy Compliance Through Data Lifecycle Management Data privacy laws are becoming increasingly stringent, with regulations like GDPR, CCPA, and others imposing strict requirements on data retention and deletion. Organizations must not only protect personal data but also ensure it is not retained longer than necessary. Failure to comply with these regulations can lead to hefty fines, reputational damage, and loss of customer trust. Implementing a robust information lifecycle strategy ensures that personal data is systematically disposed of when it is no longer needed, reducing the risk of non-compliance. Privacy compliance is not just about protecting data—it’s about enforcing a disciplined approach to managing it from creation to disposal. Knowledge Transfer and Employee Transitions When employees leave with little notice, critical business knowledge can be lost if information is not properly managed. If data is cluttered with ROT, a replacement employee may struggle to locate essential files, emails, and documents managed by the departing team member. A well-structured information governance strategy ensures that unstructured content is properly categorized, stored, and retained, making transitions smoother and preserving institutional knowledge. Ensuring information is organized and accessible reduces downtime and improves productivity when roles change. Clean data means a seamless handover, enabling new employees to find what they need quickly and efficiently. Harnessing the Value of Information in AI and Emerging Technologies Data fuels artificial intelligence and machine learning. However, the quality of AI-driven insights is only as good as the data being fed into the system. Organizations that fail to manage the lifecycle of their information risk overwhelming AI systems with irrelevant, redundant, or outdated data, diluting the accuracy of predictions and recommendations. By curating high-quality, relevant data through structured retention and defensible disposition policies, businesses can ensure that their AI technologies derive meaningful, actionable insights. Proper data hygiene isn’t just about compliance—it’s about unlocking innovation and competitive advantage. A Call to Action: Prioritize Information Lifecycle Management In today’s digital landscape, information should be an asset, not an anchor. Establishing a predictable end-of-life for data enables organizations to build customer trust, reduce costs, respond swiftly to audits and legal matters, and optimize AI-driven innovation. It’s time for businesses to move beyond data hoarding and embrace information lifecycle management as a strategic imperative. #InfoGov #Information #IG #RecordsManagement #RIM

Legal Operations Leading Information Governance and Records Management Programs In today’s data-driven world, legal operations departments are stepping into a pivotal role: managing the information governance (IG) and records management programs for their entire organizations. This shift isn’t just about controlling costs or streamlining workflows; it’s about creating a unified set of rules that align regulatory requirements with business needs, protecting the organization while enabling it to thrive. The Association of Corporate Counsel (ACC) Legal Operations Maturity Model is a popular reference tool that legal department leaders use to assess maturity in a wide range of functional areas relevant to optimizing legal services delivery. In the advanced stage of the ACC Legal Operations Maturity Model for information governance, legal operations fully integrate IG as a core strategic function across the enterprise. Why Legal Ops? Legal operations teams are uniquely positioned to lead enterprise-wide IG initiatives. Unlike IT or privacy departments, where conflicts of interest may arise (“fox guarding the henhouse”), the legal ops department brings an independent and objective perspective. While IT departments are typically focused on system performance and privacy teams concentrate on safeguarding sensitive data, neither has the mandate or neutrality to create enterprise-wide rules based on both regulatory compliance and business priorities. Legal ops, however, operates with cross-departmental authority and a focus on risk mitigation and compliance, making it the ideal steward for IG programs. Here’s why legal ops should own this responsibility: Regulatory Expertise : 📃 Legal operations professionals are already adept at interpreting and applying complex legal and regulatory frameworks. By extending this expertise to IG, they ensure retention schedules, data handling practices, and defensible disposition policies align with evolving regulations like GDPR, CCPA, and SEC rules. Enterprise Oversight : 🌍 Unlike siloed departments, legal ops have a bird’s-eye view of the organization. This perspective allows them to develop and enforce IG policies that are not only legally compliant but also meet business needs across all functions. Risk Mitigation : ⚠️ Poor information management increases the risk of non-compliance, data breaches, and litigation. Legal ops can implement IG programs that identify and mitigate these risks while providing a defensible framework for the disposition of unnecessary data. Cost Management : 💰 Legal ops know firsthand the costs associated with mismanaged information, from skyrocketing eDiscovery expenses to inefficiencies in locating critical documents. By instituting effective IG policies, they can drive significant cost savings for the organization. Closing Thoughts Legal operations departments are more than cost centers; they’re strategic partners capable of driving enterprise-wide change. By taking ownership of information governance and records management, legal ops provide the rules and structure that organizations need to thrive in a complex regulatory landscape. Supported by research and emerging trends, their leadership ensures compliance, reduces risk, and creates a foundation for sustainable growth. Are you ready to empower your legal operations team to lead the information governance/records management charge? Contact us at (989) 763-6611 or awcollison@kahnconsultinginc.com to partner with you on advancing your current program.

Addressing Information Governance in a M365 Environment Watch Recording: Addressing Information Governance in a M365 Environment Panelists from Kahn Consulting and X1 discuss Addressing Information Governance in a M365 Environment. Successful information governance in a Microsoft 365 environment can be extremely challenging. Organizations are tasked with executing on the goals of their information governance policies and procedures while continuously faced with time, technology and resource limitations. Organizations require ways to gain deeper insights into M365 data and operationalize their compliance processes, in order to effectively address their information governance use cases, such as PCI compliance, ROT, Data separation, and GDPR. Addressing current challenges provides a blueprint to forward-looking solutions that can help proactively manage data, inform strategic decisions, and reduce time and resources required for operational efficiency. In this session, panelists from Kahn Consulting and X1 will discuss: • Historical challenges and current strategies to address the IG in Microsoft 365 • Ways to proactively identify and manage compliance and data governance policies with scalable, fast and efficient technology solutions • Case studies from recent successful engagements involving large data sets in Microsoft 365 This session will also include an interactive Q&A.

Information Management In today’s digital landscape, data is more valuable than ever. Businesses collect, analyze, and leverage vast amounts of information to drive decision-making, improve customer experiences, and gain a competitive edge. But with great power comes great responsibility—and the consequences of mismanaging that responsibility can be severe. The recent Federal Trade Commission (FTC) action against General Motors (GM) serves as a stark reminder of what can go wrong when companies fail to ensure proper data use and consent protocols. The GM Case: A Wake-Up Call for Businesses On January 15, 2025, the FTC announced enforcement action against General Motors for sharing drivers' precise location and driving behavior data without obtaining proper consent. This breach of consumer trust underscores the critical importance of transparency and adherence to privacy regulations. According to the FTC, GM shared sensitive data with third parties, including marketers and data brokers, without adequately informing drivers or obtaining their explicit permission. As a result, drivers were exposed to potential risks, including unwanted surveillance and exploitation of their personal data. The fallout from this case is a cautionary tale for any company handling consumer information. Protecting Your Company and Customers If your organization collects or uses data, you must take proactive steps to avoid becoming the next cautionary tale. Here are key considerations and best practices to ensure you’re on the right side of data ethics and compliance: 1. Understand the Data You Collect Conduct a thorough data inventory to identify all the types of information your company collects, processes, and stores. Determine which data points are sensitive, such as location information, personal information, health records, or financial details. 2. Obtain Clear and Explicit Consent Use plain language to inform users about what data you’re collecting, how it will be used, and with whom it will be shared. Implement mechanisms to capture explicit consent. 3. Limit Data Sharing Avoid sharing data with third parties unless it’s essential and explicitly agreed upon by users. Vet third-party partners to ensure they adhere to privacy standards and regulations. 4. Educate Your Workforce Train employees on data privacy regulations, your company’s policies, and best practices for protecting sensitive information. Ensure staff understand the importance of consent and data security in their daily operations. 5. Tighten Down Contracts with Third Parties Include clear terms in contracts with vendors and partners to ensure they comply with privacy laws and handle data responsibly. Require regular audits or compliance certifications from third-party vendors. 6. Stay Compliant with Privacy Regulations Familiarize yourself with laws like the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable regulations. Regularly review and update your privacy policies to align with evolving legal requirements. 7. Use Technology to Monitor Data Leaving Your Company Deploy data loss prevention (DLP) tools to monitor and control the flow of sensitive information out of your organization. Use analytics to detect unusual patterns of data access or transfer that could indicate misuse. 8. Manage the Retention and Disposal of Data You Collect Implement a records retention schedule to ensure data is kept only as long as legally and operationally necessary. Securely dispose of outdated or unnecessary data to minimize risks of breaches or misuse. 9. Establish a Data Governance Framework Create a comprehensive data governance framework to define roles, responsibilities, and policies for managing data. Ensure this framework includes oversight for data quality, security, and compliance. 10. Build a Culture of Accountability Make data privacy and security a core part of your company’s values. Encourage employees at all levels to prioritize data protection and report potential risks or breaches immediately. Why Transparency and Consent Matter Failing to prioritize transparency and proper consent can erode consumer trust, damage your brand reputation, and expose your company to legal repercussions. Beyond regulatory fines, the loss of customer loyalty can have long-lasting financial impacts. Consider this: today’s consumers are more aware than ever of their privacy rights. They expect businesses to respect those rights and act in their best interests. Companies that fail to meet these expectations risk alienating their audience and losing market share to more responsible competitors. Final Thoughts The FTC’s action against GM is a stark reminder that data misuse is not just a technical or operational issue—it’s a matter of trust. Companies that prioritize transparency, consent, and compliance will not only avoid regulatory scrutiny but also build stronger, more loyal customer relationships. Ask yourself: Do you really know how your company’s data is being used? If the answer is anything less than a confident "yes," now is the time to act. Your customers, your reputation, and your bottom line depend on it.

​In today’s digital world, the amount of unstructured data—emails, files stored in Box, Microsoft 365 documents, fileshares, and more—has skyrocketed. While this information can hold immense value for businesses, managing it manually is no longer feasible or effective. Companies are grappling with complex legal and regulatory requirements, skyrocketing storage costs, and growing cybersecurity threats. Manual efforts to classify, retain and dispose of information are no longer sufficient to ensure compliance and safeguard information. More than ever, organizations must adopt automated solutions to efficiently manage unstructured information. ​ Regulatory Imperatives for Automating Information Governance ​ With the enforcement of regulations like GDPR, HIPAA, and CCPA/CPRA, businesses face strict compliance demands when handling personal and sensitive data. Non-compliance not only damages a company's reputation but also leads to steep financial penalties. In 2023, GDPR fines surpassed €1.2 billion ($1.3 billion), highlighting the aggressive stance regulators are taking. Meanwhile, the SEC charged 10 firms with widespread recordkeeping failures, resulting in $79 million in fines, following over $1.8 billion in penalties imposed the previous year. This trend makes it clear: companies must prioritize automated governance to avoid serious consequences. ​ Reducing Costs, Risks and ROT through Automation ​ The explosion of unstructured data also brings considerable costs. Gartner estimates that 80% of enterprise data is unstructured, and much of it is ROT—redundant, obsolete, or trivial. Keeping such data unnecessarily inflates storage costs without adding value. Automated systems allow companies to classify information in real-time, eliminating ROT and minimizing both costs and risks. Furthermore, these systems identify high-risk data such as intellectual property (IP) or personally identifiable information (PII), ensuring it is protected appropriately. ​ Managing Information Amid Rapid Employee Turnover ​ Employee turnover is another challenge that companies face. With over 40% of the global workforce changing jobs every four years, businesses need automated systems that retain institutional knowledge while making critical data easily accessible. When employees leave, they often take crucial knowledge with them, but their data remains. Automated tools, such as indexing and search functionalities, ensure that departing employees’ data is preserved and accessible, preventing loss of business insights. ​ Automation in Mergers & Acquisitions: A Critical Need ​ In a world where mergers and acquisitions (M&A) are frequent—global M&A deal values hit $3 trillion in 2023—the need for automated information separation has never been greater. Automation helps classify, purge, and separate unstructured data, ensuring that only necessary, high-quality information moves forward in a transaction, avoiding the transfer of ROT into the new organization. ​ Navigating Litigation, Audits, and Investigations ​ Corporate litigation, regulatory audits, and investigations require quick and accurate access to relevant data. Manually sorting through massive amounts of unstructured information is time-consuming and inefficient. With automated systems, companies can perform rapid in-place searches, ensuring they meet legal deadlines, conduct early case assessments, and reduce the costs associated with lengthy discovery processes. ​ Unlocking the Value of Unstructured Data ​ Beyond compliance and risk management, unstructured data holds untapped potential to drive business value. Data-driven decision-making is becoming a competitive differentiator, with companies that excel in this area being 23 times more likely to acquire customers and 19 times more likely to be profitable. However, without the right tools, much of this data remains inaccessible. Automated systems not only make unstructured data searchable and organized but also prepare it for analysis, enabling companies to harness its value for innovation and enhanced customer experiences. ​ Why Automating Unstructured Data Management is Urgent ​ With unstructured data growing rapidly and business landscapes becoming more complex, companies can no longer afford manual information governance methods. Automating unstructured data management ensures legal and regulatory compliance, reduces storage costs, protects sensitive data, and enables faster responses to litigation and audits. Most importantly, it allows businesses to make data-driven decisions that enhance their competitive edge. ​ Why Partner with Kahn ​ Managing unstructured data is no longer a choice—it's a business imperative. By adopting automated systems, companies can not only reduce risk and costs but also unlock the full value of their information assets. Kahn Consulting has been at the forefront of leveraging technology to streamline information governance for over two decades. We partner with industry-leading solutions that provide cost-effective, scalable tools to help businesses take control of their unstructured data. Our team of experts bridges the gap between governance policies and cutting-edge automation, enabling organizations to manage retention and disposition seamlessly. With Kahn, you're equipped to navigate today's information challenges while preparing for tomorrow's opportunities in an ever-evolving digital landscape.

Zurich, Switzerland, July 17th, 2024 . LatticeFlow AI, the leading platform empowering AI teams to build performant, safe, and trustworthy AI solutions, announces the addition of Randolph A. Kahn, ESQ. to its advisory board. Kahn is a recognized global leader in information governance, with decades of experience advising major global organizations, including the US government and various corporations, on the complex legal and compliance aspects of information management. This addition enhances and complements LatticeFlow AI’s current advisory board, which consists of Milena Marinova, VP at Microsoft, and Jean-Luc Chatelain, former CTO of Applied Intelligence at Accenture. Kahn will play a key role in strengthening the company’s commitment to trustworthy AI practices while advancing its leadership in enabling enterprises to mitigate AI risk. “Randolph’s unparalleled expertise in information governance and compliance is a valuable addition to our advisory board,” said Andre Boisvert, Chairman of LatticeFlow AI. “His insights will be instrumental in guiding our strategies to ensure our AI solutions not only perform at the highest levels but also enable public institutions and private companies to adhere to the strictest standards of legal and regulatory compliance.” “I am honored to join LatticeFlow AI’s advisory board,” says Randolph. “The convergence of AI and regulatory compliance is crucial in today’s digital landscape. I look forward to contributing to the company’s efforts in mitigating risks and enabling safe, secure, and compliant AI solutions.” Enabling AI Risk Mitigation in Business-Critical Domains Kahn’s expertise in navigating the legalities of technology for regulated industries aligns perfectly with LatticeFlow AI’s expansion into business-critical domains, where the company delivers key technology to mitigate risks associated with AI. Despite the impressive accuracy of AI models demonstrated in pilots and proof-of-concept projects, building AI solutions that perform reliably on real-world data remains an immense challenge. This affects both technical teams building and delivering AI solutions as well as management teams that need to quantify risks and approve AI solutions for use in business-critical operations. LatticeFlow AI has established itself as a pioneer technology provider in this area. The company has recently announced the first solution designed to find and identify model errors in audio AI applications. Combined with the company’s existing capabilities in computer vision, this innovation establishes LatticeFlow AI as the most advanced solution enabling deepfake detectors to prevent and block sophisticated deepfake threats. Additionally, the company has been working with public and research institutions, such as the US AI Safety Institute Consortium (AISIC), to develop methods, benchmarks, and testing environments that help organizations operationalize practices related to current and upcoming regulations enforcing safe, secure, and trustworthy AI. LatticeFlow AI Appoints Renowned Digital Legal Expert Randolph A. Kahn, Esq. to its Advisory Board - LatticeFlow