adam121 - Fotolia


Information governance 2015: The year of digital evidence as truth

Businesses saw major shifts to their information governance 2015 processes as legal and compliance rules more heavily relied on digital evidence as truth.

The past year has been a remarkable one for information governance. Without much fanfare, companies and regulatory bodies have shifted from 20th century records management protocols and processes to embrace a broader, interconnected scope of information governance as a unifying business priority.

The transformation has been important. Globally, headlines have emphasized the consequences of poor information governance. As a result, corporate boards of directors and regulators now appreciate more than ever the need to focus on the quality of controls designed to manage business information assets. As we examine several key information governance 2015 developments, it is clear that those who have long advocated for data management's business importance are now in the spotlight to deliver on their claims.

Digital evidence forces big shifts for information governance 2015

More than ever, determining whether a company has violated the rule of law requires the evaluation of digital evidence. Whether executed as an internal investigation, performing E-discovery in litigation claims made by business partners or responding to official government enforcement actions, companies must have the ability to organize and present digital records as evidence of the truth.

The supervision of IT systems architecture has become vital to assuring the reliability of the operating records relied upon to measure regulatory compliance.

For example, in June 2015 a U.S. Federal Court of Appeals affirmed the criminal conviction of defendants arrested by immigration officials who presented Google Maps GPS data to document that the arrests were made within U.S. boundaries. On appeal, the court concluded the satellite images were not "inadmissible hearsay" as the defendants claimed, and could be admitted as evidence. Many legal experts considered the case an important indicator of the confidence courts will increasingly place in digital information as evidence.

The U.S. federal e-discovery rules, originally adopted in 2006, were also updated and revised in 2015. These rules have had a big influence on e-discovery's global evolution, and the new amendments will continue to have a substantial impact. The revisions to the federal e-discovery rules emphasize that requests for, and the production of, electronically stored information (ESI) should be proportional to the complexity of a specific case, among other factors. None of the changes, however, add any clarity to the obligations of the parties and, in fact, create even further ambiguity.

With these new federal e-discovery rules in place, information governance becomes even more vital to legal cases. Proportionality requires calculations that determine effort levels, probable relevance, the resources required to gather and evaluate the data, and overall costs. None of those calculations can be made without strong information governance processes in place. A company's ability to claim ESI discovery demands are unreasonable and disproportionate to a case will not be sustained by mere posturing. Hard statistics and calculations will be required, which only an effective information governance program can reliably produce.

There is an interesting catch-22 here: The more effective information governance becomes, the more cost effective ESI production becomes. The move toward strong information governance reduces lawyers' abilities to claim that adversaries' e-discovery demands are unreasonable or disproportionate to the case. In other words, lawyers seek to preserve their ability to hide the truth, while information governance leaders still want to produce digital evidence accurately and cost-effectively.

Automated surveillance data goes mainstream

In late 2014, JPMorgan Chase & Co. published a nearly 100-page report describing its commitment to improving compliance within its vast global operations by leveraging automated surveillance and monitoring capabilities. Having paid over $36 billion in fines and sanctions for failing to comply with applicable regulations, new investments placed several billion dollars of new spending into implementing tools that identify and suspend noncompliant activity based on keystroke analysis, IP address patterns and similar forensic methods originally developed to counter international terrorism.

The new investments introduce continuous monitoring as a method to anticipate and foreclose illegal conduct that exposes the bank, and its reputation, to adverse outcomes. These expenditures also place enormous pressure on JPMorgan Chase's competitors to introduce similar control infrastructures and, in turn, invite regulators to expect the same measures be implemented across the financial services industries.

For information governance advocates, these shifts toward internal continuous monitoring create enormous opportunities to add further value to their efforts. The data assets being created by these services, however, all also require governance. In the near future, one of the challenges facing information governance professionals will be to make the business case for these new analytic databases. Without that governance, the value of surveillance data as evidence of the truth is vulnerable.

The Securities & Exchange Commission published Regulation SCI -- Systems Compliance and Integrity -- in late 2014, and most of its requirements went into effect on November 3, 2015. Regulation SCI is extensive, with the final release running nearly 800 pages. The SEC realized that digital information as evidence is only as good as the integrity of the related systems from which the information is obtained. Poor governance creates poor data, which in turn makes enforcement of the rule of law difficult.

The SEC expects any company subject to Regulation SCI to create and preserve documentation of how their information systems are designed, adapted, revised and maintained. That is a new level of responsibility within any company: Software engineers and developers are not used to their documentation being treated as a regulatory mandate.

This trend is likely to continue across other regulated industries. The supervision of IT systems architecture has become vital to assuring the reliability of the operating records relied upon to measure regulatory compliance.

Limited mechanisms for personal data transfers

On October 6, 2015, the European Court of Justice invalidated the legality of the safe harbor arrangement under which protected personal information has flowed between Europe and the United States for nearly 15 years. This did not mean that the movement of personal information was impossible, but the decision requires companies to use the more demanding controls of "binding corporate rules" or contractual arrangements to assure that relevant data is provided commensurate protection when transferred to the United States.

Information governance has often been fueled by requirements to protect personal information. But companies with EU-U.S. data flows have relied on Safe Harbor to be an easier path to compliance. The alternative controls that require binding rules and contracts need to be designed, implemented, enforced and documented. These are all valued qualities of strong information governance programs. As a result, information governance has the chance to facilitate improved personal information management, and minimize the disruptive impact caused by the invalidated Safe Harbor agreement.

These changes emphasizes that information governance 2015 marked an important shift: Digital records have become the focus of how to evaluate compliance with the rule of law. One of the unexpected truths for information governance is that government agencies remain the most demanding "customer" for internal corporate information assets. For governments, corporate digital records have little or no value as evidence unless effective information governance is in place to prove authenticity.

The same is true within companies required to comply with complex requirements for information assets. For a digital record to be useful to the company, it must prove to be accurate, authentic and trustworthy. Companies like JPMorgan Chase are seeking solutions that integrate corporate governance with the creation and management of digital information. As 2015 ends, information governance is now center stage as the essential business process expected to deliver what is now necessary: accurate digital evidence of the truth.

Next Steps

Learn more about data management processes to produce reliable evidence for legal cases, and how governance strategies are undergoing a major shift as online data is increasingly relied upon for proving claims in court.

Dig Deeper on Managing governance and compliance