COVID pandemic conditions have worsened, further altering our work, life, and social fabrics. I had the pleasure to interview Michael Osterman, industry analyst and president of Osterman Research, to get his take on what the coming months have in store for enterprises in tightly regulated and litigation-vulnerable sectors.
See also the Osterman Research white paper, Archiving as a Key Element of Good Information Governance, highlighting both the criticality and the challenges of maintaining proper governance amid rampant data growth, burgeoning regulatory mandates, and more stringent legal requirements for retaining data.
Excerpts from this interview is being brought to you as a series of four blogs, covering the following topics:
- The State of Information Governance Pre-COVID
- Post-Pandemic Shifts in Strategy
- New Risk Factors
- Managing Compliance and Consequences
The State of Information Governance Pre-Covid
Achmad Chadran: Thank you for accepting our invitation to talk to us about archiving, information governance, and the challenges of maintaining compliance in today’s work-from-home culture.
Michael Osterman: Well I can't thank you enough. As you noted, there are a lot of regulated industries: police departments, healthcare organizations, financial services, and so forth. It's important to understand that all of us are now regulated, because we have things like, the General Data Protection Regulation, or GDPR, in the European Union, we have the California Consumer Privacy Act (soon to be replaced by the California Privacy Rights Act), and we have these privacy acts popping up in various US states and countries around the world. When we talk about information governance, really what we're talking about is a policy-based control of information, so that an organization can satisfy all of its regulatory legal risk and business demands. It's really just managing your information properly. It's providing good controls on your information so that you know where it is, you know what it contains, you know how to manage it properly in terms of retention, deletion, encryption, and so forth.
Archiving, on the other hand, is a specific solution that will capture all relevant information and place it into archival storage, and then on the back end, provide good search tools so that you can produce that information quickly and easily. If you have an eDiscovery case, if you need to do an early case assessment, if you have to satisfy a Subject Access Request under GDPR, for example, you know where that information is, and you can search for it easily, extract it, and produce it on demand.
It's important to understand what archiving is. When we ask organizations what archiving system do you have, very often they'll say, “well, here's our backup system.” Backup is an important best practice, but it tends to be very tactical in nature, tends to be short-term to restore a server or an endpoint that maybe has fallen victim to ransomware or a hard disk failure. Archiving, on the other hand, is much more strategic. Archiving takes a much, much longer-term focus, because organizations are going to have to retain their records for anywhere from a year (in the case of employment records) to indefinitely (in the healthcare case of a patient’s lifespan plus two years) depending on the industry.
So fundamentally, archiving is a critical first step in implementing an information governance program.
Chadran: That's excellent. I'm glad you make that distinction. There is a fair amount of confusion out there between archiving and cold storage.
To baseline things, what was the state of compliance archiving before the world pivoted?
(For more detailed information on this topic please see Why Information Governance and Archiving Must be Considered Essential Best Practices.)
Osterman: Well, it wasn't great. There were a lot of organizations archiving their data, managing it properly. But what we found is that not all organizations really have an information governance program in place. This is from research we did in 2020. What we found is that about two-thirds of organizations had what they would consider to be an information governance program in place. About a quarter didn't, but planned to have one during the next 12 months. And about one out of twelve organizations didn't have an information governance program, and didn't have any plans to implement one. That could have been because they didn't have the appropriate stakeholders on board, or they didn't have a champion for information governance.
In a lot of cases, organizations – if they're in the manufacturing space, maybe in retail – don’t consider that they have a lot of critical regulations or legal requirements to retain their data. They actually do, but they don't realize that they do, so they don't properly manage their information. We do see more importance being placed on information governance now, but certainly, it's not really where it needs to be.
Chadran: So the primary drivers for companies who archive are compliance-oriented?
Osterman: That's correct. There are some industries that have very specific regulatory requirements. There are regulatory agencies – for example, the SEC and FINRA for financial services organizations – there are various requirements on healthcare organizations. The FDA imposes retention obligations for life sciences and pharma companies. The Federal Energy Regulatory Commission imposes requirements on energy companies, and so forth.
But there are rules for all of us, as I mentioned earlier, with privacy regulations. The California Consumer Privacy Act, for example, requires what they call a “Look Back” period, so that if somebody comes to you and says, “I want to know all the information you have on me,” you have to go back twelve months to produce all of that information. GDPR has similar requirements in what they call the Subject Access Request. If somebody comes to you and says “I want to know everything you know about me,” you have to be able to produce that, usually within just 30 days. And you have to do it at no charge, so that's an expensive thing to do in the absence of an information governance capability.
If you don't have an archiving system, you have to go look through backup tapes, and you have to look through a wide variety of repositories – and you run the risk of missing important information that, for whatever reason, was not backed up. If you have an archiving system in place, it’s a pretty easy exercise.
Chadran: An archive is a rich source of information, isn't it?
Osterman: Oh, absolutely. There's an enormous amount of information in an archive. And a lot of organizations don't seem to realize just how valuable it is. If you look at a typical archive, and if you've had this archive around for a while, it contains a lot of different types of information. It's an indexed, immutable, and timestamped copy of every communication…every attachment sent by everybody in the company, including senders and recipients. You have communications not only within your company, but also with others outside your company: your supply chain, customers, prospects, and so forth.
As I mentioned earlier, we all need to consider a variety of privacy regulations – GDPR, California Consumer Privacy Act, the California Privacy Rights Act – and we're seeing these pop up all over the world. Australia, Brazil, India…just about every country is looking at some sort of privacy regulation, how they can protect the privacy rights of individuals so that their information is not shared. And we've seen this debate come to the fore, within the context of companies like Google, Facebook, Apple, and so forth, potentially sharing information and using it for a variety of revenue-generating purposes.
Can you satisfy these privacy regulations without an archiving solution? And the answer is yes, theoretically, you can. But it's extraordinarily expensive, and very risky. Because if you don't have a good archiving solution, one that centralizes your access to information, you don't really know if you've been able to produce all of this personal data on demand, or if you've actually been able to forget it.
If you haven’t done so already, register NOW for Micro Focus Universe 2021, our premier customer and partner event. This year’s focus is on Winning in a Digital Economy, and we will run Universe as a virtual global event. Learn from Micro Focus experts, see and experience use cases, and hear best practices from our customers and partners around the world. Register Today!
More details about the full range of IM&G products can be found here.
We’d love to hear your thoughts on this blog. Comment below.