 Welcome today to our guest lecture which is on the growing importance and impact of information governance. And to say that our presenter is Robert F. Smallwood and I want to say a few things about Robert so that you know where he's coming from when he starts sharing all of these terrific things with you. Robert is CEO of the IG World Magazine, the Certified Information Governance Officers Association and the Institute for Information Governance. He's an industry leading author, keynote speaker, podcast host, consultant and educator. And with eight published books on information governance topics, he's the world's leading IG author and leading authority on IG. Over 18,000 professionals have completed his IG Essentials training course on LinkedIn and hundreds of others have taken his instructor led training to earn IG certifications and you can count me among his students as well. In addition to teaching IG courses, Robert consults with Fortune 500 companies and governments to assist them in making technology decisions and implementations and some of his past research and consulting clients include the World Bank, NASA, Johnson and Johnson, Apple and AT&T. Because Robert has so much to share with us and we have so little time today, we ask that you hold your questions until the end, but please do put them in the chat area so that we can come to them if we have time. And right now I'm going to stop sharing so that Robert can share his slides and his expertise with you. I appreciate the invitation and hopefully give you sort of a background on information governance and how it developed and I'm going to get into some some actual case studies of some things that I think that where information governance is having an increasingly greater role. So just an introduction to information governance. We're going to talk about information governance, not information government government and we'll talk about also some of the confusion between data governance and information governance. And why that is information governance really kind of started in 2001. So in the National Health Service in the UK required information governance training in the 2001 2002 timeframe for any professionals handling clinical data, patient data. And that's really kind of where it launched even though information governance was mentioned in the literature, you know, in the decades before that. That's when it was really kind of kind of put into practice and it's very well developed over there. But it didn't really hit the shores of the US till 2014 when there was a launch of the information governance initiative which is a trade group that got together about 20 and eventually 25 30 vendors got together and funded research studies and webinars and educational kinds of activities to be able to to foster the maturation of the IG industry and discipline. ARMA launched an IG executive conference and right in that timeframe 2013 14 also launched a certification called the IGP information governance professional. And then info gov con was launched in that year which was an information governance conference that went on for about five years in the Hartford in the northeast there in our Hartford and Providence area. And later that was folded into now is part of the ARMA show, the Records Management Trade Association. I launched Institute for Information Governance and live training in 2014. A lot of e-discovery vendors and records and information management vendors rebranded and all of a sudden said, we're now information governance, which adds to some of the confusion. And also, my book came out in 2014 and this is the new version this is the 524 page second edition, which has a lot more good information that that, you know, as things changed in the five or six years between when I wrote the first book, I updated that. So what is information governance? Well, we've had definitions like this out there. And this is really part of the problem why people have a hard time articulating what is information governance. And in my view, this is not a helpful definition. This is just too verbose. It's too wordy. You know, Gartner even said, well, all we did was take it, you know, from our definition data governance and fit it into this. So it's not really a good definition. And Doug Laney, who's the author of Infonomics, likes to say that Gartner analysts get paid by the word. That's why it's such a long definition. And really information governance will be just back up and try to simplify things. It's getting your house in order, cleaning house. George Socia from who's a co founder of edirm.net and the IG reference model. He said, you know, he told the story went into his daughter's bedroom found in the closet a sleeping bag. And he said, Why would that be there because we have cubby holes very specific place in our basement to put sleeping bags and I would have never thought to look for a sleeping bag there. And this is the same kind of thing that happens in with information in organizations, people file it away, the way that they might retrieve it and might be simplest for them to retrieve, but there's no standardized way. And therefore searches turn up little or poor results when other people are looking for the same information. So you want to go from a metaphor where your electronic files look like this and they're a mess and they're, they're duplicated and and they're haphazard not organized. You want to really go to more of a metaphor like this which is a medical records library which is very well organized. And the, the Dewey decimal system in libraries, you can walk into a library even before there were computers and you could find the book exactly the book that you wanted within a few minutes because they stuck to a very rigid and structured standardized classification And this is really what we need to do to get our arms around managing electronic information. It's not unmanageable. It's not, it doesn't have a life of its own. I don't buy that, you know, information has to be free and it's going to, you know, do what it wants to do. It's finite. It can be controlled and we can, there are tools today to be able to manage and control it. So in short, information governance is about minimizing information risks and costs, maximizing information value. So we can, when you want to articulate that to a senior manager or your or executive or a boss, that's fairly easy, easy to articulate. Hey, minimizing information risks and costs or maximizing information value will unpack that a little bit. The information governance initiative to find it as the activities and technologies and organizations employed to maximize the value of their information while minimizing associated risks and costs. So essentially, I have boiled that down into an even more succinct definition, you could say that information governance is security, control and optimization of information. So that's something that you could quickly in one sentence articulate. This is exactly what information governance is. So it actually maps to the IG initiative definition because if we have found our confidential and personally identifiable information and protected health information, we can then lock it down with encryption and we can reduce the risk of breach or if a breach does happen, we reduce the impact of that breach. For instance, there's a California law that if you're personally identifiable information has been breached, but your that information is encrypted, you don't need to be notified. But if it's not encrypted, then everyone has to be notified by mail, which is a very expensive process. So if we focus on security and reducing the impact of a breach or ransomware or malware attack, we're reducing the risks and costs of the information. Also, we can control information. We want to control it within the enterprise and even outside of the enterprise. You know, there's software called information rights management, where if I had a laptop or a mobile device and I had 10,000 confidential documents on it. And let's say that you got that person got fired, I got terminated. Now, what do we do with that? How do we control that information now that it's outside of the organization that's on a laptop or a mobile device? Well, there's software called information rights management. And I'm not talking about the information rights management from Microsoft, because it's not very good, but from some other companies like C clore and covertics and next labs. And some of those most of them came out of Israel out of Tel Aviv actually, this is military application. So what would happen is if this person left and they had, let's say, let's say they have their laptop this month. And they have 10,000 year documents on there. Well, next time that person opens up that laptop and tries to access those documents, it's going to go to the cloud if they're protected with information rights management, or it's going to go to a server. And it's going to come back down and say, does this person still have access to these documents. And if you've turned off access, it'll go back down and do a virtual shredding, it'll shred all those documents. So they wouldn't be able to access them. And it's a way to almost remote control documents, even after they've left your organization. So you want to control documents so that and information so that you can minimize the impact of any kind of a bad actor. And you're also going to maximize the value of information because you're going to get the right information to the right people at the right time. And there are various tools and techniques to use that to accomplish that. And you want to maximize the value while minimizing the costs, which is really optimizing information. And that's when we get into some of the concepts of infonomics and data monetization, as articulated in Doug Laney's seminal book, Infonomics. And so you can see that really this definition, security control and optimization of information, maps to some previous definitions. And the IG initiative definition really wasn't new. It's very similar to one that the Sedona conference put out, which is a think tank out of Sedona, Arizona, they put out a definition maybe, you know, seven, eight, 10 years ago. And those IG security of information, you want to secure it in all three states, if at all possible. It's easy to secure it at rest, we're going to just use encryption and those kinds of tools. In transit, we're going to encrypt communications. The most difficult is to actually to actually secure information when it's in use and there are very few software packages that can do that. So we want to identify our confidential information assets and personally identify the information and lock it down with additional security. And you want to the more confidential, the more top secret, the more valuable the information, the more you're going to invest in information security to have the proper level of information security, depending on that value. And control information within the enterprise will use tools like identity and access management. That's also known as single sign on where you actually when you log in, it provides you access to the applications and information that you need to do your job, but no additional information that is called using the principle of least privilege in the cyber security world. The principle of least privilege means that you provide the minimum amount of information a person needs to do their job, all the information they need, but no additional information. There's an example of a gentleman who was working in a French major French bank. I can't pronounce it properly credit line ease or lion eyes. And, and, and he went from from one department to another he went from the trust department into commercial banking into investments and, and up and over and, and each time he moved to a different department he got more access to more data and more applications and, and they never cut off his access to the previous set of information he needed for his previous job. That's called the credential lag. And so what happened is he ended up getting a lot of access to a lot of information and he was making billion dollar investment bets. That's where the bank was fine with that in the 2005 six seven time frame but when 2008 hit and that there was a crash. Then they came down on him so you want to control who has access to which information internally in the enterprise but also if you can use some tools to secure documents and information, even even externally, even if they've left the enterprise on a mobile device and tools like information rights management can do that. So you want to control who has access to which information and when information rights management software can actually allow a person to access certain information on their desktop, but not on their laptop. Or during the workday, but not after hours or on weekends so very specific contextual access to information for the same user, but depending on time of day and by device so that's really controlling information internally and externally and you want to get the right information to the right people at the right time, but you want to do that in a secure fashion. So optimization of information means that you have a record retention schedule in place you follow it standardized on a systematic basis, when a file series meets its life cycle requirements. It is then dispositioned 90% of the time that means destroyed. It can also be archived or transferred as narrow does in the federal government. And the most valuable information really that's left over from that maybe we could leverage that across the enterprise maybe there's information and research and development that could be used in marketing or maybe marketing is getting some signals out in the marketplace that they could feed back to research and development and that could help spur new innovation and new product development. So we want to get rid of this typical approach of silos of information in an organization where it might be a silo for finance and one for human resources and one for marketing and one for research and development and so forth and we want to try to leverage leverage information across the enterprise and do what's best for the organization and try to provide new insights and value. And often that can be gained by taking some of the data that you have and and and marrying that up with or comparing it with external data and there's plenty of external databases. You know who buys you know raincoats in in the rainy season in certain zip codes that kind of data maybe that affects your organization and you have some internal product data that you can match that up with so you can get some real significant insights when you when you pair up or you you compare external data with your own internal data. So there are some tools that can be used content analytics file analysis is a key tool in information governance where you actually spider or you're searching across all the shared drives or or the storage area network or any storage system in an organization and you're looking for these documents that are unstructured like Word documents and Excel spreadsheets and PowerPoint and you're searching for who's what's the topic what's the author when was it last access if it hasn't been accessed in five years maybe we don't need it for instance but file analysis can tell you the topic the author the data was created the the length of the document and so forth and it can actually start to insert metadata tags some of the advanced software and shape up and remediate and clean up the so they're these these collections of documents are more searchable and knowledge workers have more access to them. Tools like predictive coding which is basically teaching software to look for responsive documents in a particular legal matter and basically you train it by you go to the you go to the software and you feed in some documents and you feed those documents in and and say OK software go find some more like this or emails they could be then the software comes back and it says OK how about this you go oh the lawyer for that case is OK yeah more like this and not these and then the software goes out and learns how to find those a little better and then comes back OK yeah more like this but not this and it gets a little better and it really doesn't have to be perfect in case you're eliminating that $200 an hour lawyer doing that physically manually by hand and making those decisions and using artificial intelligence and neuro computing to be able to dramatically cut those costs and it doesn't have to be perfect. The courts have said 70% or better finding the responsive documents in the legal matter is as good as a human could do. So that's good enough and then of course we're going to use analytics and we have to get to that structured information. So the holy grail of information governance is trying to get unstructured information which is 80 to 90% of what businesses and organizations use. And that means email PDF scan documents word Excel PowerPoint those kind of documents as opposed to structured information which is in databases in columns and rows and the holy grail is to get to the structured metadata of the unstructured information to be able to standardize it and be able to search it and make it more usable for the entire organization. So I often see even very sophisticated and talented top consultants confusing data governance with information governance and really it looks sort of like this at the very highest level you have corporate governance. And that manages very high level risks with software called GRC which is governance risk management and compliance software. And corporate governance has been around as long as corporations have been around that's your stockholder agreements your shareholder agreements your bylaws articles of incorporation those kinds of things. And, and that's at a very high level then you have information governance which is security control and optimization of information across the organization. Then it governance which are which is applying frameworks to the it processes of application development and service management using tools like COVID-19 COB it 19 which is control objectives for it the previous version was COVID-5 for some reason it would turn into COVID-19 or it I L it infrastructure library for service management. And these has this has a series of metrics and controls where senior managers executive CEOs can actually see what's going on what progress is being made in the it department toward the accomplishment of business objectives. When I first got into the computer business decades ago, the MIS director or the it director at, you know, for instance, a small bank would be able to write custom code to interface to the ATMs to update the general ledger and and the CEO had no idea what that guy was doing in it and didn't know if he was, you know, documenting what he was doing, or if he's got five he fired him what would happen with this with the bank collapse with a with a with something blow up, you know, put a demon in there and agent in the software that every left would make it unusable. And so it was very frustrating for CEOs and chairman and executives in these large corporations because they didn't know what was going on. It was like a black box in it. So these were developed these these controls were developed to be able to track the contribution of it's progress toward the business objectives of the organization. Then we have data governance and that the data governance level we're trying to get good clean quality data at the point of entry as close as we can to the point of entry. If you go online and you buy a plane ticket or something, you can't put in a zip code that says ABC DE, it won't allow it. That's forcing data governance at the point of entry to make sure you input a valid zip code. So with data governance, we have typically a business, a data steward in a in a business area who's responsible for ensuring that you have the processes proper processes in place, the formal processes to ensure you have good quality accurate data at the point of entry so that all the downstream reports and analyses are more accurate. So this is very broad at a high level corporate governance and goes down to very detailed at the data governance level. So it includes concepts from a variety of disciplines because there wasn't a discipline that really covered it all. So it includes corporate governance records management, cybersecurity e discovery, litigation readiness content management or content services. IT governance data governance data protection data privacy risk management regulatory compliance digital preservation content analytics business intelligence even knowledge management and more so it's all those things it's really kind of a super discipline because it includes all of those things. And it really emerged because there were more and more regulations more more laws and more and more data coming because of the big data trend. So really multiple disciplines were needed to address this this kind of a more modern management challenges. But information governance really should start just like any other project or program with focusing on the business objectives of what are you trying to accomplish. And so you establish your business objectives then determine what information do I need and then how do I secure and control that information. I was in the in the hurricane Katrina and in Hurricane Katrina in New Orleans they had dozens of buses that the New Orleans public school system had access to and the mayor decided that he didn't want to step on their toes so you know he could have access to those buses to get people to Baton Rouge or Houston out of there so what if we're trying to get people out and evacuate people who don't have transportation. What are what's our business objective well that that's our business objective get them out get them to higher ground. So what information do we need for that well we need to know you know where those buses and and even who's the qualified drivers for those buses and maintenance records make sure that they're you know ready to go and even get these and so forth and and and then we could accomplish that objective. So I G is about determining your business objectives determine what information you need, and then securing and controlling that now. You're also going to apply appropriate information use policies so you're going to update or redo perhaps your policies for access to social media to social communications on social mobile cloud, as well as your email and others and you want those to be linked and to be consistent. And ultimately you're trying to maximize information value now information governance is more strategic. It's more about the why information is needed and how long it has business value and often people struggle with well what's the difference between that and information management. Information management is more of the how of how information is managed so that's the everyday blocking and tackling provisioning systems, keeping the network running help desk. You know that kind of every day, keeping the IT information management systems up and running that's information management whereas information governance is sort of a higher level umbrella concept. The programs are really about enforcing policy consistently, and that means that your record retention schedule is standardized and it's enforced in a standardized way, your policies for use of email social mobile cloud and so forth are consistently drawn and enforced as well and So really the first step in a lot of information governance programs is to create a data map, or an information map and, and this is also the first step in privacy management program so with the big pushing privacy that started in general data protection regulation GDPR in the European Union and further pushes because of the California Consumer Privacy Act and and the new Consumer Rights Act there's a lot of activity around privacy and really the first step there is to map where are we holding our private data personal identifiable information protected health information and credit card information. So we can map that and lock it down with encryption. And we also from a privacy management standpoint need to find all the incidences of a person's PII so that we can erase it if they ask us if they if they have the right to be forgotten and they want it to be erased so you have to be able to know where all your information is. We've been automating for decades but it's been in a very sloppy way. It really hasn't been the governance there to know what our information holdings are information assets are and even 80% of the information that is managed in major corporations today is redundant outdated or trivial it's just it's worthless information and they they haven't taken the time to set up a metadata standardized metadata approach and a business classification scheme and and and and a taxonomy to be able to govern that information properly so now we're having to kind of do it retroactively and there's it's a big mess. So there's a lot to do for information governance for any students thinking about going into it for the next decades. So we know that the bad guys can get into perimeter they can they can easily hack and get into the perimeter so your confidential and top secret and personal identifiable information has to be identified and locked down and secured so even if they do get in they don't get to the crown jewels. So information governance is also really about manage that managing that information lifecycle from creation through use through final disposition. And that just means you have a records retention schedule in place and you follow it consistently. So what that means is information is kept as long as it's needed by regulatory requirements and sometimes a little longer because you're you may have business area needs that are longer than that. And then it's discarded according to a standardized record retention schedule, unless it's on legal hold or it's declared a record. So why do you need information governance. Well, first of all, just the big data trend, you know, I mean this is there's all kinds of, you know, characterizations but 90% of the data in the world is created in the last two years. Big data can be defined as high volume high velocity high variety, the three bees. Doug Laney came up with that too so it's coming out of a greater volume is coming faster and it's coming from more different places so more different devices. Excuse me sensors like you know Internet of Things sensors mobile phones this wasn't in existence 20 years ago. So we have a lot more data than we have before. So we have special databases and tools to be able to handle big data. So you can't handle it with a Microsoft with an SQL database it's just too many rows and columns you can't handle it with an IBM DB to database it so new tools had to be developed. So we just look at the scale up of this digital universe just in the last 10 years and it's just really dramatic you can see how much more information we're creating them and we used to. And from a business standpoint we want to get rid of it as soon as possible to minimize our costs and our risks and from a big data standpoint big data people want to keep everything all the time forever, just in case you might need it. So more data is always better there's no downside to accumulating it but in the business side, if you leave emails in there and over retain information that can be called into court and that can be something that could sink you in court whereas if you follow your retention schedule and you deleted it because it met its lifecycle requirements you don't have that exposure of over retention. So you have to discard this data debris or dark data which lacks metadata it's undefined basically. And once you get down to some some structured metadata, and it's clean accurate trusted information then you can do some analysis and get some new insights World Economic Forum says data is the new oil Doug Laney hates that because oil is depleted whereas information is not information can be copied over and over again and be reused over and over again resold over and over. So it's, it doesn't really have the same kind of characteristics but the idea is that it certainly has value. This study which is done away a while back but it's been proven out empirically that by the compliance governance and oversight council which is now owned by IBM but what they found was that only 25% of information stored by organizations had real business value. 5% was kept as records 1% on legal hold. If you do the math, it comes out to 69% is junk, redundant outdated or trivial. Some people argue this. Oh, well, our organization doesn't have that kind of waste and inefficiency. Well, okay, we can do a trial on your data with some file analysis software take a couple of terabytes and see how much redundant outdated and trivial information is in there. But what is the number for your organization isn't 50% and if it's 50% that means half your resources, your expensive high value tech people in the data center and your raised flooring and your air conditioning and the electricity and the lights and everything that goes with running a data center. 50% of that is being wasted on information that has no value or, you know, maybe you do a really great job and it's only 33% that's terribly inefficient still terribly inefficient. And this is not necessarily a high high number. One of the file analysis members did an analysis at the US Marine Corps and found 80% redundant outdated and trivial information at the Marine Corps so. And I know organizations like we've been inside like mass mutual, and they keep stuff forever, you know, the 10 years or more and they and it's all dark day that more than half of it they don't even know what it is so even companies that are household names. I could go on and on now that my non disclosures have expired PNC bank terrible, terrible fifth largest bank in the country knew that they had a big information governance problem. They knew that JP Morgan Chase and Bank of America had been fined over a billion dollars apiece for not being able to provide the documentation for regulators in other words poor information governance, and they still this was five six years ago they still couldn't get an IG program launched and they still are struggling with it so big corporations have big problems in this area. And artificial intelligence and auto classification is really going to be sort of the only way out of it to clean all these collections up. Ideally you want a smaller information footprint with more accurate and clean data, and less less redundant outdated and trivial information and then you can leverage that for better insights. And that's the e-discovery, which is the pre trial phase of litigation and civil civil matters. When you have to go through these gigabytes and ter gigabytes and terabytes of data. If you can pair that down and just give your lawyers the stuff that matters, you can save about $18,000 per gigabyte and that adds up quickly. If you look at the e-discovery reference model, that first bubble is information governance. In other words, get your house in order and clean up and then you can go through the whole process of identifying and processing and producing information for in a court for litigation purposes. And Gartner stated that one in five CIOs would be fired for court information governance initiative. So with a smaller information footprint, you can more easily find because the search engine doesn't have to do as much work. It's not searching through as many files. It can go faster and it can execute more accurately. So some of the benefits of information governance, it reduces legal risk so you're not over retaining information. And electrically stored information or ESI is discarded in a systematic way according to your stated and standardized policies. And if it is destroyed, then it cannot be requested in legal proceedings and you can't be sanctioned for it because you followed your... You didn't just go back and delete stuff for this case, you followed your standardized record retention schedule. And this allows you, if you have a cleaner house to more quickly and completely implement legal holds, I've done work for companies that they couldn't find information very well. In fact, regulators said you should be able to find that document, that maintenance document in 15 minutes and it took them literally three weeks to find a document. And that's because it was manual and they had a terrible... It was just terribly organized. But you can more narrowly and in a granular way put a legal hold on information like the emails from this date to that date for this person. As opposed to in this case, this organization I'm talking about, they just put a legal hold on an office. They're like, okay, you're the controller. Everything you do is on legal hold. You're the CFO. Everything you do is on legal hold. You're a general counsel. Everything's on legal hold. And a bunch of people were on legal hold. Terrible environment to work in. And it's all because they have terrible information systems. The funny thing is, it's a super profitable company. So it's a company that's a billion-dollar company, makes 100 million a year. They only have 1,000 employees, which is a real high number. We're a million in revenue per employee. So they always figured, well, we're doing this well so far. But it's coming home to rules that can have to clean things up. Another key principle of information governance is it requires cross-functional collaboration with your key stakeholders. And if you look at the IG reference model, some of these key areas are legal records of information management, IT, privacy and security, and the business unit. So these are the key seats at the table. You have to have these seats at the table to get launched in an IG program. And the value of this diagram really is mostly in just introducing information governance. If you're launching an IG program, the centric part depicts the typical records management paradigm. We want to shoot for policy integration and process transparency, policy integration, meaning our email, social, mobile, cloud. All those policies are consistent and process transparency and unified governance. We're really doing this for the good of the whole organization. And back probably five, six, seven years ago, the IG initiative did this study and they asked IG professionals, what would you say is involved in information governance? And it came out as all of these things, but I kind of like to focus on this slice here, which is records management, records information management, cybersecurity, compliance, data recovery, data governance, privacy, risk management, data storage and archiving. And what's changed since this has happened is some of these things on the left, like data science and finance with the advent of informatics and data monetization, have become more important and certainly privacy and cybersecurity have become bigger slices of the pie. IG requires strong executive sponsorship because you've got all these different players. You've got, you know, REM, IT, privacy, security, business units, and you need a strong executive sponsor. In fact, this is the number one success factor in IG programs. And most people think, well, it's budget, you'd have to have budget, right? But there's a lot of things you can do without budget. You can design your, you can develop your business objectives for the IG program. You can develop metrics to measure your progress toward those business objectives. You can draft a project charter, a program charter and state those objectives as well as list out who's going to be on the IG steering committee. You can do a pilot for free from a file analysis vendor. So you can get a lot of steps in place before you really get budget, but you really have to have a strong executive sponsor to drive things forward. And that means that they have leadership from the top down, but also you're implementing from the bottom up the actual implementation. And the executive sponsor really is responsible initially for the budget and making the business case and getting the team together and then later checking on milestones and metrics as you progress. The one thing missing from the IG reference model is change management because all IG programs are really effectively change management programs. And that's because you're getting people to realize the value of information, but also the risks of information. And you're going to change maybe a little bit about how information is presented to them in their everyday job. The IG programs initially at least are often aimed at reducing legal costs and information risk. And this is why we see so many general counsel, deputy general counsel, assistant general counsel driving IG programs because it filters into privacy and the retention periods and all of this has to be blessed by the legal department. And then it may be they lost a big case. That might be the reason or maybe there was a major breach and they need to address that but often or maybe just legal costs have been going out of control. And we need to try to rein them in. And so we can use tools like predictive coding to do that. Truly IG is about standardizing and system with systematizing your handling of information. And you want to really optimize how information is managed to control stored even preserved. And you always have to have an audit process to be able to track how well things are going. And you need to update all your policies and make sure that they are linked and that they are consistent. Remember IG programs are like they're ongoing. They don't stop. You don't finish. They continue to expand. You can really think of them as like a workplace safety program. So it's not a project. You know, you don't buy a software package and say we did information governance. And the program and under the umbrella of IG, you've got privacy, security, RAM, e-discovery, informatics and analytics, content services, a lot under that umbrella. And really it's like an information IG program or information safety program but also we're looking to optimize information. So if you've ever been in like a chemical plant, they always have posters of material safety data sheets and safety reminders. And I even worked in oil refinery once and, you know, safety was like the number one thing. And this is the same thing with an IG program. You want to use posters. You want to use newsletters. You want to do in-person training, you know, security awareness training, privacy awareness training, news management awareness training, those kinds of things. And then you need audits to be able to have feedback based on your metrics and you can continually improve. So why is information governance so important today? Because of some failures in information governance. We look at the Sony Pictures breach. 4,000 emails were found in the general council's trash bin. Shouldn't they have had a policy to go through and clean up those emails at least once a week? Because gosh, that would make for interesting reading. The personally identifiable information of all the employees was exposed. Their confidential business plans were exposed. And now they had to create different plans that are suboptimum. And actually they threatened to bomb theaters if they opened up the movie. And so that was the first incidence of input terrorism. With Target, and really all they had to do was secure those, let me go back to that, all they had to do was have an email management policy, but also secure the personally identifiable information and all your confidential business plans with encryption or information rights management. So even if they did get inside, they wouldn't get that information. Target had about a $100 million breach. What happened there was, and it demonstrates that you need to even look at your third party suppliers, they had purchased some new credit card readers and they installed these card readers, these magnetic card strip readers in all their stores and the bad guys had put some malware on each reader. And whenever somebody came and swiped a card, the malware would capture that and they would have all that person's fresh data. So they didn't get inside the data center. It wasn't a hack. What they did was they got inside the third party companies that the provider of these credit card scanners. And so your information governance program needs to even extend to your suppliers. And in this case, that supplier did not conform with the PCI DSS standard, which is the payment card industry standard for security. And it cost them dearly and the CEO got fired over that. Pacific Gas Electric up in the San Francisco area, they're required to do X-rays of pipes. So the gas pipes as they are going, they're supposed to X-ray them and look for cracks so that they can maintain them before they split open and blow up. And so PG&E had the greatest records retention schedule you could develop. You know, a beautiful, developed by a big four accounting consulting firm, right? Great schedule. No audits. Nothing to say that they actually followed that schedule. So they were actually told not to keep those records because that could be liability. And what happened was as more and more gas pressure went through those pipes and the population grew in the San Francisco and north of there in San Bruno, it exploded and it killed eight people. The government found PG&E criminally liable, but did they find the executives who made those decisions criminally liable? No. So that's the downside. That's the problem with American corporate veils is people can hide behind a corporation and make sure they get their maximum bonuses because they didn't pay for maintenance. And they never, there's never no consequence. They had the same issue a few years later, same kind of an issue with electricity. They weren't maintaining the high tension power lines. And they had no ways of monitoring if they would snap or break and they'd snap, break and start fires and make billions of dollars of damage. Why? Because they didn't do the maintenance. Why didn't they do the maintenance so their executives could get bigger profits or bigger bonuses? Chipotle Grill, now this is a funny one because if you ever watched the show Billions, they actually portrayed a similar incident to this where Chipotle had food was being poisoned with the Norovirus and E. Coli and they couldn't track in where in the supply chain. What they really needed was the information in the fields and then in the processing center and then their distribution center and then the stores. And they should have sampled all along the way that meat and see if it was contaminated because it would be very simple for a hedge fund billionaire to go to a Chipotle and find a student worker, let's say, and say, here I'll pay you $10,000, $100,000, whatever it might be. All you got to do is drop this vial of stuff into the hamburger. That's it. Don't worry, it's not going to kill anybody. Just make them a little bit sick. And then of course Chipotle lost one third of their stock value after that. And the FBI said that Chipotle's record keeping system actually hindered their investigation because they didn't have good information all the way from the farm to the table. And they really needed to have not only testing the quality, but they should have had cameras all the way through to see if somebody was sabotaging them. Now we have more recent examples. In December, multiple government agencies were breached. In fact, 18,000 out of the 33,000 plus customers of SolarWinds were breached. SolarWinds is an IT services and security company, security company that had no chief information security officer. They targeted not only the cybersecurity firm FireEye, but also the US Treasury Department, Department of Commerce, Department of Homeland Security. And yeah, there was a warning for this because a year earlier in November, a researcher noted that their server had a password of SolarWinds123. And he said that any hacker could upload malicious files and they'd be distributed to all your customers. And so this is why you want more complex passwords. For some reason that was posted publicly. And so this hack happened. The stock price fell. I've got the stock chart up here. It fell 25% immediately and 40% in that week and it's still down. It's still down about 30%. So it can really affect your brand's value, your company value. And that's why I think more and more chief financial officers need to get involved in information governance efforts and to take a more active role. And oh, by the way, their executives knew about the breach, but it hadn't been reported publicly and they quickly sold off 280 million in stock. And so they're being sued for that as well as the loss of value. In election results we had in the state of Iowa, which I'm from originally, and this pained me because they had in the caucus the first one of the year and we're always very proud as I was that this is the first presidential caucus and oftentimes they predict the president. So they had a mobile app that for the first time they're using to collect this, this voting information, but they obviously didn't do a stress test with, you know, basically you emulate the live environment before you ever go live. And these kinds of things should never happen if you're if you have the proper processes and procedures in place to ensure that you have good quality data. And so proper information governance principles would have avoided this problem. And, you know, it had issues with with the reporting in in Pennsylvania and Georgia and all over. This is all about poor information governance. And that means we need to control the information from the time it's the voters cast to the time that is reported and make sure that chain of custody has been protected and can be proven so that nobody edited or changed any votes. So this is very crucial from a from a election standpoint. Then we have the pandemic response. We had a lot of confused messaging. So, you know, what was it where, you know, we're they're they're implanting microchips with this with this Bill Gates is doing it, whatever the confused messaging but the idea of the New York State nursing home desk, the reporting of that the accuracy of that. If you secure information at the point of that it occurs and if you are able to make sure that you have that chain of custody secured and controlled, then you would have good accurate information. There should be no point, no area, no, no, no point in that process where that data could be changed or altered. We also need to know the act that number of infections and the testing rates that accurate information is very important. We also need to know what are the results of these clinical trials and and, you know, half a million Americans have been died so far and that's, you know, more than World War One, World War Two and the Vietnam War put together, which is insane but what people don't realize is 250,000 Americans die every year just for medical mistakes. It's the third leading cause before COVID, it was the third leading cause of death behind heart attacks and cancer. So we've got an information governance problem in health care as well. I wrote, I wrote this book, Information Governments for Healthcare Professionals. And, you know, it's, it was eye opening to me that we have such poor information, such poor information in our healthcare system and that was because of a rush to sort of a rush to automate and get into electronic patient records. U.S. government gave each hospital $2 million to implement electronic patient records and they said you only had to have meaningful use and meaningful use meant it had about 40% of its capacity. So what happened? Bunch of software vendors sold a lot of software and did really crappy implementations. And so now we have people getting the wrong leg cut off or, you know, getting treated for something they don't have and that kind of thing. Really poor information because it's not our training of our doctors. It's not the medicines. It's not the quality of the equipment. It's poor information that's killing Americans quarter of a million a year of dying even before that, even before COVID. So Information Governance is really more important than ever. It has a major impact on government operations, the security and accuracy of our elections, stability of financial markets and the accuracy and efficacy of medical treatments and really corporate security and brand equity. So it's important and it's getting more and more important. And a lot of our problems today are a result of poor information governance. So with that we got just a couple of minutes and I'll see if I can, if we have any questions here. This is terrifying. Great. Okay, use my book. Okay, good. Do you find that organizations have their own ID department are effective? Or is it best that organizations hire an outsider ID organization to come in and go through things? Well, they'll often use, you know, a consultant like me and there's, you know, we're starting to see more and more people that are getting the information governance in their title, but it's really not a department. It's a program that is umbrella and it crosses multiple departments. And with that, I don't see any other questions. And so I think we're good and we are right at about time at our top of the hour, huh, Pat? We are. And thank you very much. I'm going to stop right here because I know that a number of people have other places to be in about two minutes here. So thank you. This was really very interesting. And I'm so glad that there were so many people that were able to join us today. It was excellent.