Wednesday, March 5, 2014

Darwinian Survival through Disaster Recovery and Information Governance

It seems like stock prices fall pretty quickly after a data security breach.   Just ask TJ Maxx, Target, Nieman-Marcus or Sears.   The big boys probably have their business continuity plans (BCP’s) and information governance rules.   What about you?  What’s it all about, Alfie (the CEO, CIO, GC or Webmaster or Board member)?

My dalliance with BCP and “disaster recovery’ (“DR”) started 15 years ago, when I was negotiating long-term outsourcing contracts for enterprise customers.   No BCP/DR, no deal.

Fast forward to 2014.   Now just about everyone understands BCP/DR, requires it in their cloud computing agreements and maybe even in their strategic supplier agreements for manufacture of consumer packaged goods, or whatever.  So it’s time to reinvent and look at “information governance” as a subset of BCP/DR strategy.   And everyone MUST do something about “information governance” because you can get sued, pay a lot of money and lose customers.   Did I mention you (if you are a senior officer) might get fired? 

With your job on the line, where’s the crib sheet for mastering “information governance” and building your own job security plan (“JSP”)?

First step, sound the alarm and look for a BCP.  A business continuity plan acts like the Internet: multiple nodes, multiple points of failure, resiliency.  You plan your own company’s exit (and stresses leading to exit).

Second step, focus on an information governance strategy as a mini-BCP, directed at information technology, telecom and data security, brand management and liability management (to cut your losses on “stray” or “hacked” data).  Throw in a privacy policy too, with a compliance officer to run the deal.

Here’s the plan:
  • Face the music.  You won’t hear Beethoven, Mozart or Handel being mentioned with Gramm-Leach-Bliley, Obama(Care), or the less eponymous laws like HIPAA, HITECH or regulations on banking, financial services or insurance (“BFSI”).  Frame your frameworks.
  • Do some yoga.  A little flexibility, a little strength and resilience will help your company deal with surprise encounters of the info management kind.
  • Round up your data, Cowboy!/Cowgirl!.  Identify sources, uses, flows, warehousing, processing and transmittal of data.
  • Put your data collection on a diet.  Imagine a Web without intrusive cookies (as the EU regulators are considering due to easy identification of individuals with geolocalization tools).  Collect and keep personal data (and data leading to individual identification) only if you “need” it.   Otherwise, it’s digital baggage that, if hacked, will cause legal and branding hassles.
  • Orchestrate your musicians. 
    • Identify “records custodians.” 
    • Designate an “information governance team” for all managers who will have inputs into information management and technologies.
    • Designate an “incident response team” and allocate roles, responsibilities and strategies for each team member.   Include HR, IT, marketing, legal, purchasing, compliance, finance and
  • Get political.
    • Identify all of the company’s constituencies who may be impacted by an “incident.”  Consider suppliers, licensors, licensees, customers, joint venture partners, regulators, public relations, reporters, shareholders, directors, officers, employees, lenders, courts, litigants, and anyone else affected by your business.  
    • For “B corporations,” consider your social and environmental mission and constituencies.
  • Unchain your paranoia.  Assess vulnerabilities and mitigate risks.
  • Virtualize and diversify your supply chain (through to your customer delivery service too).  Identify and plan for “disaster” scenarios and the impact on operations, legal compliance, customer loyalty and the company’s value chain.
  • Treat data like gems and rare anti-venom snake serum.  For legal issues, the plan should address preservation of legal records and evidence, engagement of forensic analysts and timely statutory notifications of security breach incidents.
  • Party hearty, but only after you successfully do your mock “disaster” (“incident”).  The “incident response team” must practice the “table top exercise” drill of data recovery, data security breach notifications and remedial public relations.
  • Be democratic.  Get everyone involved, trained and conscious.
  • Adapt.  Evaluate and continuously monitor the data security practices and compliance of your internal and external tech providers.  Revise your policies to adapt to new threats and scenarios.  Get a trip to the Galapagos Islands and see what adaptive survival looks like.
Sometimes looking at digital life in analog form makes good sense. Stay healthy.